| Line | Branch | Exec | Source |
|---|---|---|---|
| 1 | /*********************************************************************** | ||
| 2 | * Copyright (c) 2013-2015 Pieter Wuille, Gregory Maxwell * | ||
| 3 | * Distributed under the MIT software license, see the accompanying * | ||
| 4 | * file COPYING or https://www.opensource.org/licenses/mit-license.php.* | ||
| 5 | ***********************************************************************/ | ||
| 6 | |||
| 7 | #if defined HAVE_CONFIG_H | ||
| 8 | #include "libsecp256k1-config.h" | ||
| 9 | #endif | ||
| 10 | |||
| 11 | #include <stdio.h> | ||
| 12 | #include <stdlib.h> | ||
| 13 | #include <string.h> | ||
| 14 | |||
| 15 | #include <time.h> | ||
| 16 | |||
| 17 | #include "secp256k1.c" | ||
| 18 | #include "../include/secp256k1.h" | ||
| 19 | #include "../include/secp256k1_preallocated.h" | ||
| 20 | #include "testrand_impl.h" | ||
| 21 | #include "util.h" | ||
| 22 | |||
| 23 | #include "../contrib/lax_der_parsing.c" | ||
| 24 | #include "../contrib/lax_der_privatekey_parsing.c" | ||
| 25 | |||
| 26 | #include "modinv32_impl.h" | ||
| 27 | #ifdef SECP256K1_WIDEMUL_INT128 | ||
| 28 | #include "modinv64_impl.h" | ||
| 29 | #endif | ||
| 30 | |||
| 31 | #define CONDITIONAL_TEST(cnt, nam) if (count < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else | ||
| 32 | |||
| 33 | static int count = 64; | ||
| 34 | static secp256k1_context *ctx = NULL; | ||
| 35 | |||
| 36 | 436809 | static void counting_illegal_callback_fn(const char* str, void* data) { | |
| 37 | /* Dummy callback function that just counts. */ | ||
| 38 | 436809 | int32_t *p; | |
| 39 | 436809 | (void)str; | |
| 40 | 436809 | p = data; | |
| 41 | 436809 | (*p)++; | |
| 42 | 436809 | } | |
| 43 | |||
| 44 | 1 | static void uncounting_illegal_callback_fn(const char* str, void* data) { | |
| 45 | /* Dummy callback function that just counts (backwards). */ | ||
| 46 | 1 | int32_t *p; | |
| 47 | 1 | (void)str; | |
| 48 | 1 | p = data; | |
| 49 | 1 | (*p)--; | |
| 50 | 1 | } | |
| 51 | |||
| 52 | 313460 | void random_field_element_test(secp256k1_fe *fe) { | |
| 53 | 114 | do { | |
| 54 | 313574 | unsigned char b32[32]; | |
| 55 | 313574 | secp256k1_testrand256_test(b32); | |
| 56 |
2/2✓ Branch 1 taken 114 times.
✓ Branch 2 taken 313460 times.
|
313574 | if (secp256k1_fe_set_b32(fe, b32)) { |
| 57 | break; | ||
| 58 | } | ||
| 59 | } while(1); | ||
| 60 | 313460 | } | |
| 61 | |||
| 62 | 2833408 | void random_field_element_magnitude(secp256k1_fe *fe) { | |
| 63 | 2833408 | secp256k1_fe zero; | |
| 64 | 2833408 | int n = secp256k1_testrand_int(9); | |
| 65 | 2833408 | secp256k1_fe_normalize(fe); | |
| 66 |
2/2✓ Branch 0 taken 314081 times.
✓ Branch 1 taken 2519327 times.
|
2833408 | if (n == 0) { |
| 67 | 314081 | return; | |
| 68 | } | ||
| 69 | 2519327 | secp256k1_fe_clear(&zero); | |
| 70 | 2519327 | secp256k1_fe_negate(&zero, &zero, 0); | |
| 71 | 2519327 | secp256k1_fe_mul_int(&zero, n - 1); | |
| 72 | 2519327 | secp256k1_fe_add(fe, &zero); | |
| 73 | #ifdef VERIFY | ||
| 74 | CHECK(fe->magnitude == n); | ||
| 75 | #endif | ||
| 76 | } | ||
| 77 | |||
| 78 | 143802 | void random_group_element_test(secp256k1_ge *ge) { | |
| 79 | 286705 | secp256k1_fe fe; | |
| 80 | 286705 | do { | |
| 81 | 286705 | random_field_element_test(&fe); | |
| 82 |
2/2✓ Branch 2 taken 142903 times.
✓ Branch 3 taken 143802 times.
|
286705 | if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) { |
| 83 | 143802 | secp256k1_fe_normalize(&ge->y); | |
| 84 | 143802 | break; | |
| 85 | } | ||
| 86 | } while(1); | ||
| 87 | 143802 | ge->infinity = 0; | |
| 88 | 143802 | } | |
| 89 | |||
| 90 | 24704 | void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) { | |
| 91 | 24706 | secp256k1_fe z2, z3; | |
| 92 | 24706 | do { | |
| 93 | 24706 | random_field_element_test(&gej->z); | |
| 94 |
2/2✓ Branch 0 taken 2 times.
✓ Branch 1 taken 24704 times.
|
24706 | if (!secp256k1_fe_is_zero(&gej->z)) { |
| 95 | break; | ||
| 96 | } | ||
| 97 | } while(1); | ||
| 98 | 24704 | secp256k1_fe_sqr(&z2, &gej->z); | |
| 99 | 24704 | secp256k1_fe_mul(&z3, &z2, &gej->z); | |
| 100 | 24704 | secp256k1_fe_mul(&gej->x, &ge->x, &z2); | |
| 101 | 24704 | secp256k1_fe_mul(&gej->y, &ge->y, &z3); | |
| 102 | 24704 | gej->infinity = ge->infinity; | |
| 103 | 24704 | } | |
| 104 | |||
| 105 | 128 | void random_gej_test(secp256k1_gej *gej) { | |
| 106 | 128 | secp256k1_ge ge; | |
| 107 | 128 | random_group_element_test(&ge); | |
| 108 | 128 | random_group_element_jacobian_test(gej, &ge); | |
| 109 | 128 | } | |
| 110 | |||
| 111 | 88109 | void random_scalar_order_test(secp256k1_scalar *num) { | |
| 112 | 88877 | do { | |
| 113 | 88877 | unsigned char b32[32]; | |
| 114 | 88877 | int overflow = 0; | |
| 115 | 88877 | secp256k1_testrand256_test(b32); | |
| 116 | 88877 | secp256k1_scalar_set_b32(num, b32, &overflow); | |
| 117 |
4/4✓ Branch 0 taken 88118 times.
✓ Branch 1 taken 759 times.
✓ Branch 2 taken 9 times.
✓ Branch 3 taken 88109 times.
|
88877 | if (overflow || secp256k1_scalar_is_zero(num)) { |
| 118 | 768 | continue; | |
| 119 | } | ||
| 120 | 88109 | break; | |
| 121 | } while(1); | ||
| 122 | 88109 | } | |
| 123 | |||
| 124 | 64729 | void random_scalar_order(secp256k1_scalar *num) { | |
| 125 | 64729 | do { | |
| 126 | 64729 | unsigned char b32[32]; | |
| 127 | 64729 | int overflow = 0; | |
| 128 | 64729 | secp256k1_testrand256(b32); | |
| 129 | 64729 | secp256k1_scalar_set_b32(num, b32, &overflow); | |
| 130 |
2/4✓ Branch 0 taken 64729 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 64729 times.
|
64729 | if (overflow || secp256k1_scalar_is_zero(num)) { |
| 131 | ✗ | continue; | |
| 132 | } | ||
| 133 | 64729 | break; | |
| 134 | } while(1); | ||
| 135 | 64729 | } | |
| 136 | |||
| 137 | 66 | void random_scalar_order_b32(unsigned char *b32) { | |
| 138 | 66 | secp256k1_scalar num; | |
| 139 | 66 | random_scalar_order(&num); | |
| 140 | 66 | secp256k1_scalar_get_b32(b32, &num); | |
| 141 | 66 | } | |
| 142 | |||
| 143 | 1 | void run_util_tests(void) { | |
| 144 | 1 | int i; | |
| 145 | 1 | uint64_t r; | |
| 146 | 1 | uint64_t r2; | |
| 147 | 1 | uint64_t r3; | |
| 148 | 1 | int64_t s; | |
| 149 | 1 | CHECK(secp256k1_clz64_var(0) == 64); | |
| 150 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_clz64_var(1) == 63); |
| 151 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_clz64_var(2) == 62); |
| 152 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_clz64_var(3) == 62); |
| 153 | CHECK(secp256k1_clz64_var(~0ULL) == 0); | ||
| 154 | CHECK(secp256k1_clz64_var((~0ULL) - 1) == 0); | ||
| 155 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_clz64_var((~0ULL) >> 1) == 1); |
| 156 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_clz64_var((~0ULL) >> 2) == 2); |
| 157 | CHECK(secp256k1_sign_and_abs64(&r, INT64_MAX) == 0); | ||
| 158 | CHECK(r == INT64_MAX); | ||
| 159 | CHECK(secp256k1_sign_and_abs64(&r, INT64_MAX - 1) == 0); | ||
| 160 | CHECK(r == INT64_MAX - 1); | ||
| 161 | CHECK(secp256k1_sign_and_abs64(&r, INT64_MIN) == 1); | ||
| 162 | CHECK(r == (uint64_t)INT64_MAX + 1); | ||
| 163 | CHECK(secp256k1_sign_and_abs64(&r, INT64_MIN + 1) == 1); | ||
| 164 | CHECK(r == (uint64_t)INT64_MAX); | ||
| 165 | CHECK(secp256k1_sign_and_abs64(&r, 0) == 0); | ||
| 166 | CHECK(r == 0); | ||
| 167 | CHECK(secp256k1_sign_and_abs64(&r, 1) == 0); | ||
| 168 | CHECK(r == 1); | ||
| 169 | CHECK(secp256k1_sign_and_abs64(&r, -1) == 1); | ||
| 170 | CHECK(r == 1); | ||
| 171 | CHECK(secp256k1_sign_and_abs64(&r, 2) == 0); | ||
| 172 | CHECK(r == 2); | ||
| 173 | CHECK(secp256k1_sign_and_abs64(&r, -2) == 1); | ||
| 174 | CHECK(r == 2); | ||
| 175 |
2/2✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1 times.
|
11 | for (i = 0; i < 10; i++) { |
| 176 | 10 | CHECK(secp256k1_clz64_var((~0ULL) - secp256k1_testrand32()) == 0); | |
| 177 | 10 | r = ((uint64_t)secp256k1_testrand32() << 32) | secp256k1_testrand32(); | |
| 178 | 10 | r2 = secp256k1_testrandi64(0, r); | |
| 179 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(r2 <= r); |
| 180 | 10 | r3 = secp256k1_testrandi64(r2, r); | |
| 181 |
2/4✓ Branch 0 taken 10 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 10 times.
|
10 | CHECK((r3 >= r2) && (r3 <= r)); |
| 182 | 10 | r = secp256k1_testrandi64(0, INT64_MAX); | |
| 183 |
2/2✓ Branch 1 taken 4 times.
✓ Branch 2 taken 6 times.
|
10 | s = (int64_t)r * (secp256k1_testrand32()&1?-1:1); |
| 184 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(secp256k1_sign_and_abs64(&r2, s) == (s < 0)); |
| 185 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(r2 == r); |
| 186 | } | ||
| 187 | 1 | } | |
| 188 | |||
| 189 | 2 | void run_context_tests(int use_prealloc) { | |
| 190 | 2 | secp256k1_pubkey pubkey; | |
| 191 | 2 | secp256k1_pubkey zero_pubkey; | |
| 192 | 2 | secp256k1_ecdsa_signature sig; | |
| 193 | 2 | unsigned char ctmp[32]; | |
| 194 | 2 | int32_t ecount; | |
| 195 | 2 | int32_t ecount2; | |
| 196 | 2 | secp256k1_context *none; | |
| 197 | 2 | secp256k1_context *sign; | |
| 198 | 2 | secp256k1_context *vrfy; | |
| 199 | 2 | secp256k1_context *both; | |
| 200 | 2 | secp256k1_context *sttc; | |
| 201 | 2 | void *none_prealloc = NULL; | |
| 202 | 2 | void *sign_prealloc = NULL; | |
| 203 | 2 | void *vrfy_prealloc = NULL; | |
| 204 | 2 | void *both_prealloc = NULL; | |
| 205 | 2 | void *sttc_prealloc = NULL; | |
| 206 | |||
| 207 | 2 | secp256k1_gej pubj; | |
| 208 | 2 | secp256k1_ge pub; | |
| 209 | 2 | secp256k1_scalar msg, key, nonce; | |
| 210 | 2 | secp256k1_scalar sigr, sigs; | |
| 211 | |||
| 212 |
2/2✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
|
2 | if (use_prealloc) { |
| 213 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); |
| 214 | 1 | sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); | |
| 215 | 1 | vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); | |
| 216 | 1 | both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); | |
| 217 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | sttc_prealloc = malloc(secp256k1_context_preallocated_clone_size(secp256k1_context_no_precomp)); |
| 218 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(none_prealloc != NULL); |
| 219 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(sign_prealloc != NULL); |
| 220 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(vrfy_prealloc != NULL); |
| 221 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(both_prealloc != NULL); |
| 222 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(sttc_prealloc != NULL); |
| 223 | 1 | none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE); | |
| 224 | 1 | sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN); | |
| 225 | 1 | vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY); | |
| 226 | 1 | both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); | |
| 227 | 1 | sttc = secp256k1_context_preallocated_clone(secp256k1_context_no_precomp, sttc_prealloc); | |
| 228 | } else { | ||
| 229 | 1 | none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); | |
| 230 | 1 | sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN); | |
| 231 | 1 | vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY); | |
| 232 | 1 | both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); | |
| 233 | 1 | sttc = secp256k1_context_clone(secp256k1_context_no_precomp); | |
| 234 | } | ||
| 235 | |||
| 236 | 2 | memset(&zero_pubkey, 0, sizeof(zero_pubkey)); | |
| 237 | |||
| 238 | 2 | ecount = 0; | |
| 239 | 2 | ecount2 = 10; | |
| 240 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); |
| 241 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2); |
| 242 | /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */ | ||
| 243 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL); |
| 244 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(sign->error_callback.fn != vrfy->error_callback.fn); |
| 245 | 2 | CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn); | |
| 246 | |||
| 247 | /* check if sizes for cloning are consistent */ | ||
| 248 |
2/2✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
|
2 | CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); |
| 249 | 2 | CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); | |
| 250 | 2 | CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); | |
| 251 | 2 | CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); | |
| 252 | 2 | CHECK(secp256k1_context_preallocated_clone_size(sttc) >= sizeof(secp256k1_context)); | |
| 253 | |||
| 254 | /*** clone and destroy all of them to make sure cloning was complete ***/ | ||
| 255 | { | ||
| 256 | 2 | secp256k1_context *ctx_tmp; | |
| 257 | |||
| 258 |
2/2✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
|
2 | if (use_prealloc) { |
| 259 | /* clone into a non-preallocated context and then again into a new preallocated one. */ | ||
| 260 | 1 | ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 261 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL); |
| 262 | 1 | ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp); | |
| 263 | |||
| 264 | 1 | ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 265 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL); |
| 266 | 1 | ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp); | |
| 267 | |||
| 268 | 1 | ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 269 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL); |
| 270 | 1 | ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp); | |
| 271 | |||
| 272 | 1 | ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 273 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL); |
| 274 | 1 | ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp); | |
| 275 | } else { | ||
| 276 | /* clone into a preallocated context and then again into a new non-preallocated one. */ | ||
| 277 | 1 | void *prealloc_tmp; | |
| 278 | |||
| 279 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL); |
| 280 | 1 | ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp); | |
| 281 | 1 | ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 282 | 1 | free(prealloc_tmp); | |
| 283 | |||
| 284 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL); |
| 285 | 1 | ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp); | |
| 286 | 1 | ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 287 | 1 | free(prealloc_tmp); | |
| 288 | |||
| 289 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); |
| 290 | 1 | ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp); | |
| 291 | 1 | ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 292 | 1 | free(prealloc_tmp); | |
| 293 | |||
| 294 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); |
| 295 | 1 | ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp); | |
| 296 | 1 | ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp); | |
| 297 | 1 | free(prealloc_tmp); | |
| 298 | } | ||
| 299 | } | ||
| 300 | |||
| 301 | /* Verify that the error callback makes it across the clone. */ | ||
| 302 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(sign->error_callback.fn != vrfy->error_callback.fn); |
| 303 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn); |
| 304 | /* And that it resets back to default. */ | ||
| 305 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | secp256k1_context_set_error_callback(sign, NULL, NULL); |
| 306 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(vrfy->error_callback.fn == sign->error_callback.fn); |
| 307 | |||
| 308 | /*** attempt to use them ***/ | ||
| 309 | 2 | random_scalar_order_test(&msg); | |
| 310 | 2 | random_scalar_order_test(&key); | |
| 311 | 2 | secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key); | |
| 312 | 2 | secp256k1_ge_set_gej(&pub, &pubj); | |
| 313 | |||
| 314 | /* Verify context-type checking illegal-argument errors. */ | ||
| 315 | 2 | memset(ctmp, 1, 32); | |
| 316 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_create(sttc, &pubkey, ctmp) == 0); |
| 317 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 1); |
| 318 | 2 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 319 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1); |
| 320 | 2 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 321 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(sttc, &sig, ctmp, ctmp, NULL, NULL) == 0); |
| 322 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 2); |
| 323 | 2 | VG_UNDEF(&sig, sizeof(sig)); | |
| 324 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1); |
| 325 | 2 | VG_CHECK(&sig, sizeof(sig)); | |
| 326 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount2 == 10); |
| 327 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 1); |
| 328 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount2 == 10); |
| 329 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_verify(sttc, &sig, ctmp, &pubkey) == 1); |
| 330 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 2); |
| 331 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 1); |
| 332 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount2 == 10); |
| 333 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_tweak_add(sttc, &pubkey, ctmp) == 1); |
| 334 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 2); |
| 335 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 1); |
| 336 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount2 == 10); |
| 337 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_negate(sttc, &pubkey) == 1); |
| 338 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 2); |
| 339 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1); |
| 340 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 2); |
| 341 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0); |
| 342 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount2 == 11); |
| 343 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_negate(sttc, &zero_pubkey) == 0); |
| 344 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 3); |
| 345 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ec_pubkey_tweak_mul(sttc, &pubkey, ctmp) == 1); |
| 346 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 3); |
| 347 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(secp256k1_context_randomize(sttc, ctmp) == 1); |
| 348 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 3); |
| 349 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(secp256k1_context_randomize(sttc, NULL) == 1); |
| 350 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount == 3); |
| 351 |
1/2✓ Branch 0 taken 2 times.
✗ Branch 1 not taken.
|
2 | CHECK(secp256k1_context_randomize(sign, ctmp) == 1); |
| 352 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount2 == 11); |
| 353 |
1/2✓ Branch 0 taken 2 times.
✗ Branch 1 not taken.
|
2 | CHECK(secp256k1_context_randomize(sign, NULL) == 1); |
| 354 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(ecount2 == 11); |
| 355 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | secp256k1_context_set_illegal_callback(sttc, NULL, NULL); |
| 356 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | secp256k1_context_set_illegal_callback(sign, NULL, NULL); |
| 357 | |||
| 358 | /* obtain a working nonce */ | ||
| 359 | 2 | do { | |
| 360 | 2 | random_scalar_order_test(&nonce); | |
| 361 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); |
| 362 | |||
| 363 | /* try signing */ | ||
| 364 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); |
| 365 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); |
| 366 | |||
| 367 | /* try verifying */ | ||
| 368 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); |
| 369 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); |
| 370 | |||
| 371 | /* cleanup */ | ||
| 372 |
2/2✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
|
2 | if (use_prealloc) { |
| 373 | 1 | secp256k1_context_preallocated_destroy(none); | |
| 374 | 1 | secp256k1_context_preallocated_destroy(sign); | |
| 375 | 1 | secp256k1_context_preallocated_destroy(vrfy); | |
| 376 | 1 | secp256k1_context_preallocated_destroy(both); | |
| 377 | 1 | secp256k1_context_preallocated_destroy(sttc); | |
| 378 | 1 | free(none_prealloc); | |
| 379 | 1 | free(sign_prealloc); | |
| 380 | 1 | free(vrfy_prealloc); | |
| 381 | 1 | free(both_prealloc); | |
| 382 | 1 | free(sttc_prealloc); | |
| 383 | } else { | ||
| 384 | 1 | secp256k1_context_destroy(none); | |
| 385 | 1 | secp256k1_context_destroy(sign); | |
| 386 | 1 | secp256k1_context_destroy(vrfy); | |
| 387 | 1 | secp256k1_context_destroy(both); | |
| 388 | 1 | secp256k1_context_destroy(sttc); | |
| 389 | } | ||
| 390 | /* Defined as no-op. */ | ||
| 391 | 2 | secp256k1_context_destroy(NULL); | |
| 392 | 2 | secp256k1_context_preallocated_destroy(NULL); | |
| 393 | |||
| 394 | 2 | } | |
| 395 | |||
| 396 | 1 | void run_scratch_tests(void) { | |
| 397 | 1 | const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT; | |
| 398 | |||
| 399 | 1 | int32_t ecount = 0; | |
| 400 | 1 | size_t checkpoint; | |
| 401 | 1 | size_t checkpoint_2; | |
| 402 | 1 | secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); | |
| 403 | 1 | secp256k1_scratch_space *scratch; | |
| 404 | 1 | secp256k1_scratch_space local_scratch; | |
| 405 | |||
| 406 | /* Test public API */ | ||
| 407 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); |
| 408 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); |
| 409 | |||
| 410 | 1 | scratch = secp256k1_scratch_space_create(none, 1000); | |
| 411 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch != NULL); |
| 412 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 413 | |||
| 414 | /* Test internal API */ | ||
| 415 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); |
| 416 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); |
| 417 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size == 0); |
| 418 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size % ALIGNMENT == 0); |
| 419 | |||
| 420 | /* Allocating 500 bytes succeeds */ | ||
| 421 | 1 | checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch); | |
| 422 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL); |
| 423 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); |
| 424 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); |
| 425 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size != 0); |
| 426 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size % ALIGNMENT == 0); |
| 427 | |||
| 428 | /* Allocating another 501 bytes fails */ | ||
| 429 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL); |
| 430 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); |
| 431 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); |
| 432 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size != 0); |
| 433 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size % ALIGNMENT == 0); |
| 434 | |||
| 435 | /* ...but it succeeds once we apply the checkpoint to undo it */ | ||
| 436 | 1 | secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); | |
| 437 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size == 0); |
| 438 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); |
| 439 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL); |
| 440 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(scratch->alloc_size != 0); |
| 441 | |||
| 442 | /* try to apply a bad checkpoint */ | ||
| 443 | 1 | checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch); | |
| 444 | 1 | secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); | |
| 445 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 446 | 1 | secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */ | |
| 447 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 448 | 1 | secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */ | |
| 449 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 450 | |||
| 451 | /* try to use badly initialized scratch space */ | ||
| 452 | 1 | secp256k1_scratch_space_destroy(none, scratch); | |
| 453 | 1 | memset(&local_scratch, 0, sizeof(local_scratch)); | |
| 454 | 1 | scratch = &local_scratch; | |
| 455 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0)); |
| 456 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 457 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL); |
| 458 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 4); |
| 459 | 1 | secp256k1_scratch_space_destroy(none, scratch); | |
| 460 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 5); |
| 461 | |||
| 462 | /* Test that large integers do not wrap around in a bad way */ | ||
| 463 | 1 | scratch = secp256k1_scratch_space_create(none, 1000); | |
| 464 | /* Try max allocation with a large number of objects. Only makes sense if | ||
| 465 | * ALIGNMENT is greater than 1 because otherwise the objects take no extra | ||
| 466 | * space. */ | ||
| 467 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1)); |
| 468 | /* Try allocating SIZE_MAX to test wrap around which only happens if | ||
| 469 | * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch | ||
| 470 | * space is too small. */ | ||
| 471 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL); |
| 472 | 1 | secp256k1_scratch_space_destroy(none, scratch); | |
| 473 | |||
| 474 | /* cleanup */ | ||
| 475 | 1 | secp256k1_scratch_space_destroy(none, NULL); /* no-op */ | |
| 476 | 1 | secp256k1_context_destroy(none); | |
| 477 | 1 | } | |
| 478 | |||
| 479 | 1 | void run_ctz_tests(void) { | |
| 480 | 1 | static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129}; | |
| 481 | 1 | static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef}; | |
| 482 | 1 | int shift; | |
| 483 | 1 | unsigned i; | |
| 484 |
2/2✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
|
5 | for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) { |
| 485 |
2/2✓ Branch 0 taken 128 times.
✓ Branch 1 taken 4 times.
|
132 | for (shift = 0; shift < 32; ++shift) { |
| 486 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 128 times.
|
128 | CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift); |
| 487 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 128 times.
|
128 | CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift); |
| 488 | } | ||
| 489 | } | ||
| 490 |
2/2✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
|
5 | for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) { |
| 491 |
2/2✓ Branch 0 taken 256 times.
✓ Branch 1 taken 4 times.
|
260 | for (shift = 0; shift < 64; ++shift) { |
| 492 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
|
256 | CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift); |
| 493 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
|
256 | CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift); |
| 494 | } | ||
| 495 | } | ||
| 496 | 1 | } | |
| 497 | |||
| 498 | /***** HASH TESTS *****/ | ||
| 499 | |||
| 500 | 1 | void run_sha256_known_output_tests(void) { | |
| 501 | 1 | static const char *inputs[] = { | |
| 502 | "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe", | ||
| 503 | "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", | ||
| 504 | "For this sample, this 63-byte string will be used as input data", | ||
| 505 | "This is exactly 64 bytes long, not counting the terminating byte", | ||
| 506 | "aaaaa", | ||
| 507 | }; | ||
| 508 | 1 | static const unsigned int repeat[] = { | |
| 509 | 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5 | ||
| 510 | }; | ||
| 511 | 1 | static const unsigned char outputs[][32] = { | |
| 512 | {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}, | ||
| 513 | {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad}, | ||
| 514 | {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50}, | ||
| 515 | {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d}, | ||
| 516 | {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30}, | ||
| 517 | {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1}, | ||
| 518 | {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42}, | ||
| 519 | {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}, | ||
| 520 | {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0}, | ||
| 521 | }; | ||
| 522 | 1 | unsigned int i, ninputs; | |
| 523 | |||
| 524 | /* Skip last input vector for low iteration counts */ | ||
| 525 | 1 | ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1; | |
| 526 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++; |
| 527 | |||
| 528 |
2/2✓ Branch 0 taken 9 times.
✓ Branch 1 taken 1 times.
|
10 | for (i = 0; i < ninputs; i++) { |
| 529 | 9 | unsigned char out[32]; | |
| 530 | 9 | secp256k1_sha256 hasher; | |
| 531 | 9 | unsigned int j; | |
| 532 | /* 1. Run: simply write the input bytestrings */ | ||
| 533 | 9 | j = repeat[i]; | |
| 534 | 9 | secp256k1_sha256_initialize(&hasher); | |
| 535 |
2/2✓ Branch 0 taken 200008 times.
✓ Branch 1 taken 9 times.
|
200017 | while (j > 0) { |
| 536 | 200008 | secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); | |
| 537 | 200008 | j--; | |
| 538 | } | ||
| 539 | 9 | secp256k1_sha256_finalize(&hasher, out); | |
| 540 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 9 times.
|
18 | CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); |
| 541 | /* 2. Run: split the input bytestrings randomly before writing */ | ||
| 542 |
2/2✓ Branch 0 taken 8 times.
✓ Branch 1 taken 1 times.
|
9 | if (strlen(inputs[i]) > 0) { |
| 543 | 8 | int split = secp256k1_testrand_int(strlen(inputs[i])); | |
| 544 | 8 | secp256k1_sha256_initialize(&hasher); | |
| 545 | 8 | j = repeat[i]; | |
| 546 |
2/2✓ Branch 0 taken 200007 times.
✓ Branch 1 taken 8 times.
|
200015 | while (j > 0) { |
| 547 | 200007 | secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); | |
| 548 | 200007 | secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); | |
| 549 | 200007 | j--; | |
| 550 | } | ||
| 551 | 8 | secp256k1_sha256_finalize(&hasher, out); | |
| 552 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 8 times.
|
17 | CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); |
| 553 | } | ||
| 554 | } | ||
| 555 | 1 | } | |
| 556 | |||
| 557 | /** SHA256 counter tests | ||
| 558 | |||
| 559 | The tests verify that the SHA256 counter doesn't wrap around at message length | ||
| 560 | 2^i bytes for i = 20, ..., 33. This wide range aims at being independent of the | ||
| 561 | implementation of the counter and it catches multiple natural 32-bit overflows | ||
| 562 | (e.g., counting bits, counting bytes, counting blocks, ...). | ||
| 563 | |||
| 564 | The test vectors have been generated using following Python script which relies | ||
| 565 | on https://github.com/cloudtools/sha256/ (v0.3 on Python v3.10.2). | ||
| 566 | |||
| 567 | ``` | ||
| 568 | from sha256 import sha256 | ||
| 569 | from copy import copy | ||
| 570 | |||
| 571 | def midstate_c_definition(hasher): | ||
| 572 | ret = ' {{0x' + hasher.state[0].hex('_', 4).replace('_', ', 0x') + '},\n' | ||
| 573 | ret += ' {0x00}, ' + str(hex(hasher.state[1])) + '}' | ||
| 574 | return ret | ||
| 575 | |||
| 576 | def output_c_literal(hasher): | ||
| 577 | return '{0x' + hasher.digest().hex('_').replace('_', ', 0x') + '}' | ||
| 578 | |||
| 579 | MESSAGE = b'abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno' | ||
| 580 | assert(len(MESSAGE) == 64) | ||
| 581 | BYTE_BOUNDARIES = [(2**b)//len(MESSAGE) - 1 for b in range(20, 34)] | ||
| 582 | |||
| 583 | midstates = [] | ||
| 584 | digests = [] | ||
| 585 | hasher = sha256() | ||
| 586 | for i in range(BYTE_BOUNDARIES[-1] + 1): | ||
| 587 | if i in BYTE_BOUNDARIES: | ||
| 588 | midstates.append(midstate_c_definition(hasher)) | ||
| 589 | hasher_copy = copy(hasher) | ||
| 590 | hasher_copy.update(MESSAGE) | ||
| 591 | digests.append(output_c_literal(hasher_copy)) | ||
| 592 | hasher.update(MESSAGE) | ||
| 593 | |||
| 594 | for x in midstates: | ||
| 595 | print(x + ',') | ||
| 596 | |||
| 597 | for x in digests: | ||
| 598 | print(x + ',') | ||
| 599 | ``` | ||
| 600 | */ | ||
| 601 | 1 | void run_sha256_counter_tests(void) { | |
| 602 | 1 | static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno"; | |
| 603 | 1 | static const secp256k1_sha256 midstates[] = { | |
| 604 | {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda}, | ||
| 605 | {0x00}, 0xfffc0}, | ||
| 606 | {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26}, | ||
| 607 | {0x00}, 0x1fffc0}, | ||
| 608 | {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1}, | ||
| 609 | {0x00}, 0x3fffc0}, | ||
| 610 | {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6}, | ||
| 611 | {0x00}, 0x7fffc0}, | ||
| 612 | {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c}, | ||
| 613 | {0x00}, 0xffffc0}, | ||
| 614 | {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2}, | ||
| 615 | {0x00}, 0x1ffffc0}, | ||
| 616 | {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c}, | ||
| 617 | {0x00}, 0x3ffffc0}, | ||
| 618 | {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0}, | ||
| 619 | {0x00}, 0x7ffffc0}, | ||
| 620 | {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad}, | ||
| 621 | {0x00}, 0xfffffc0}, | ||
| 622 | {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023}, | ||
| 623 | {0x00}, 0x1fffffc0}, | ||
| 624 | {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1}, | ||
| 625 | {0x00}, 0x3fffffc0}, | ||
| 626 | {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec}, | ||
| 627 | {0x00}, 0x7fffffc0}, | ||
| 628 | {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162}, | ||
| 629 | {0x00}, 0xffffffc0}, | ||
| 630 | {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a}, | ||
| 631 | {0x00}, 0x1ffffffc0}, | ||
| 632 | }; | ||
| 633 | 1 | static const unsigned char outputs[][32] = { | |
| 634 | {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15}, | ||
| 635 | {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb}, | ||
| 636 | {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e}, | ||
| 637 | {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9}, | ||
| 638 | {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7}, | ||
| 639 | {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07}, | ||
| 640 | {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76}, | ||
| 641 | {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0}, | ||
| 642 | {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8}, | ||
| 643 | {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6}, | ||
| 644 | {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e}, | ||
| 645 | {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b}, | ||
| 646 | {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34}, | ||
| 647 | {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e}, | ||
| 648 | }; | ||
| 649 | 1 | unsigned int i; | |
| 650 |
2/2✓ Branch 0 taken 14 times.
✓ Branch 1 taken 1 times.
|
15 | for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) { |
| 651 | 14 | unsigned char out[32]; | |
| 652 | 14 | secp256k1_sha256 hasher = midstates[i]; | |
| 653 | 14 | secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input)); | |
| 654 | 14 | secp256k1_sha256_finalize(&hasher, out); | |
| 655 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 14 times.
|
28 | CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); |
| 656 | } | ||
| 657 | 1 | } | |
| 658 | |||
| 659 | 1 | void run_hmac_sha256_tests(void) { | |
| 660 | 1 | static const char *keys[6] = { | |
| 661 | "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", | ||
| 662 | "\x4a\x65\x66\x65", | ||
| 663 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", | ||
| 664 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", | ||
| 665 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", | ||
| 666 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" | ||
| 667 | }; | ||
| 668 | 1 | static const char *inputs[6] = { | |
| 669 | "\x48\x69\x20\x54\x68\x65\x72\x65", | ||
| 670 | "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f", | ||
| 671 | "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", | ||
| 672 | "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", | ||
| 673 | "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74", | ||
| 674 | "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e" | ||
| 675 | }; | ||
| 676 | 1 | static const unsigned char outputs[6][32] = { | |
| 677 | {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, | ||
| 678 | {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43}, | ||
| 679 | {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe}, | ||
| 680 | {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b}, | ||
| 681 | {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54}, | ||
| 682 | {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2} | ||
| 683 | }; | ||
| 684 | 1 | int i; | |
| 685 |
2/2✓ Branch 0 taken 6 times.
✓ Branch 1 taken 1 times.
|
7 | for (i = 0; i < 6; i++) { |
| 686 | 6 | secp256k1_hmac_sha256 hasher; | |
| 687 | 6 | unsigned char out[32]; | |
| 688 | 6 | secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); | |
| 689 | 6 | secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); | |
| 690 | 6 | secp256k1_hmac_sha256_finalize(&hasher, out); | |
| 691 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 6 times.
|
12 | CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); |
| 692 |
1/2✓ Branch 0 taken 6 times.
✗ Branch 1 not taken.
|
6 | if (strlen(inputs[i]) > 0) { |
| 693 | 6 | int split = secp256k1_testrand_int(strlen(inputs[i])); | |
| 694 | 6 | secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); | |
| 695 | 6 | secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); | |
| 696 | 6 | secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); | |
| 697 | 6 | secp256k1_hmac_sha256_finalize(&hasher, out); | |
| 698 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 6 times.
|
12 | CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); |
| 699 | } | ||
| 700 | } | ||
| 701 | 1 | } | |
| 702 | |||
| 703 | 1 | void run_rfc6979_hmac_sha256_tests(void) { | |
| 704 | 1 | static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0}; | |
| 705 | 1 | static const unsigned char out1[3][32] = { | |
| 706 | {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb}, | ||
| 707 | {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a}, | ||
| 708 | {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e} | ||
| 709 | }; | ||
| 710 | |||
| 711 | 1 | static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}; | |
| 712 | 1 | static const unsigned char out2[3][32] = { | |
| 713 | {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95}, | ||
| 714 | {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9}, | ||
| 715 | {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} | ||
| 716 | }; | ||
| 717 | |||
| 718 | 1 | secp256k1_rfc6979_hmac_sha256 rng; | |
| 719 | 1 | unsigned char out[32]; | |
| 720 | 1 | int i; | |
| 721 | |||
| 722 | 1 | secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64); | |
| 723 |
2/2✓ Branch 1 taken 3 times.
✓ Branch 2 taken 1 times.
|
5 | for (i = 0; i < 3; i++) { |
| 724 | 3 | secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); | |
| 725 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 3 times.
|
6 | CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0); |
| 726 | } | ||
| 727 | 1 | secp256k1_rfc6979_hmac_sha256_finalize(&rng); | |
| 728 | |||
| 729 | 1 | secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65); | |
| 730 |
2/2✓ Branch 1 taken 3 times.
✓ Branch 2 taken 1 times.
|
5 | for (i = 0; i < 3; i++) { |
| 731 | 3 | secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); | |
| 732 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 3 times.
|
6 | CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0); |
| 733 | } | ||
| 734 | 1 | secp256k1_rfc6979_hmac_sha256_finalize(&rng); | |
| 735 | |||
| 736 | 1 | secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64); | |
| 737 |
2/2✓ Branch 1 taken 3 times.
✓ Branch 2 taken 1 times.
|
5 | for (i = 0; i < 3; i++) { |
| 738 | 3 | secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); | |
| 739 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 3 times.
|
6 | CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0); |
| 740 | } | ||
| 741 | 1 | secp256k1_rfc6979_hmac_sha256_finalize(&rng); | |
| 742 | 1 | } | |
| 743 | |||
| 744 | 1 | void run_tagged_sha256_tests(void) { | |
| 745 | 1 | int ecount = 0; | |
| 746 | 1 | secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); | |
| 747 | 1 | unsigned char tag[32] = { 0 }; | |
| 748 | 1 | unsigned char msg[32] = { 0 }; | |
| 749 | 1 | unsigned char hash32[32]; | |
| 750 | 1 | unsigned char hash_expected[32] = { | |
| 751 | 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1, | ||
| 752 | 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62, | ||
| 753 | 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C, | ||
| 754 | 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3 | ||
| 755 | }; | ||
| 756 | |||
| 757 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); |
| 758 | |||
| 759 | /* API test */ | ||
| 760 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1); |
| 761 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0); |
| 762 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 763 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0); |
| 764 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 765 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0); |
| 766 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 767 | |||
| 768 | /* Static test vector */ | ||
| 769 | 1 | memcpy(tag, "tag", 3); | |
| 770 | 1 | memcpy(msg, "msg", 3); | |
| 771 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1); |
| 772 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0); |
| 773 | 1 | secp256k1_context_destroy(none); | |
| 774 | 1 | } | |
| 775 | |||
| 776 | /***** RANDOM TESTS *****/ | ||
| 777 | |||
| 778 | 33 | void test_rand_bits(int rand32, int bits) { | |
| 779 | /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to | ||
| 780 | * get a false negative chance below once in a billion */ | ||
| 781 | 33 | static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316}; | |
| 782 | /* We try multiplying the results with various odd numbers, which shouldn't | ||
| 783 | * influence the uniform distribution modulo a power of 2. */ | ||
| 784 | 33 | static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011}; | |
| 785 | /* We only select up to 6 bits from the output to analyse */ | ||
| 786 | 33 | unsigned int usebits = bits > 6 ? 6 : bits; | |
| 787 | 33 | unsigned int maxshift = bits - usebits; | |
| 788 | /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit | ||
| 789 | number, track all observed outcomes, one per bit in a uint64_t. */ | ||
| 790 | 33 | uint64_t x[6][27] = {{0}}; | |
| 791 | 33 | unsigned int i, shift, m; | |
| 792 | /* Multiply the output of all rand calls with the odd number m, which | ||
| 793 | should not change the uniformity of its distribution. */ | ||
| 794 |
2/2✓ Branch 0 taken 38082 times.
✓ Branch 1 taken 33 times.
|
38115 | for (i = 0; i < rounds[usebits]; i++) { |
| 795 |
2/2✓ Branch 0 taken 1316 times.
✓ Branch 1 taken 36766 times.
|
38082 | uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits)); |
| 796 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 38082 times.
|
38082 | CHECK((((uint64_t)r) >> bits) == 0); |
| 797 |
2/2✓ Branch 0 taken 228492 times.
✓ Branch 1 taken 38082 times.
|
266574 | for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) { |
| 798 | 228492 | uint32_t rm = r * mults[m]; | |
| 799 |
2/2✓ Branch 0 taken 3205284 times.
✓ Branch 1 taken 228492 times.
|
3433776 | for (shift = 0; shift <= maxshift; shift++) { |
| 800 | 3205284 | x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1))); | |
| 801 | } | ||
| 802 | } | ||
| 803 | } | ||
| 804 |
2/2✓ Branch 0 taken 198 times.
✓ Branch 1 taken 33 times.
|
231 | for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) { |
| 805 |
2/2✓ Branch 0 taken 2460 times.
✓ Branch 1 taken 198 times.
|
2658 | for (shift = 0; shift <= maxshift; shift++) { |
| 806 | /* Test that the lower usebits bits of x[shift] are 1 */ | ||
| 807 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2460 times.
|
2460 | CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0); |
| 808 | } | ||
| 809 | } | ||
| 810 | 33 | } | |
| 811 | |||
| 812 | /* Subrange must be a whole divisor of range, and at most 64 */ | ||
| 813 | 49 | void test_rand_int(uint32_t range, uint32_t subrange) { | |
| 814 | /* (1-1/subrange)^rounds < 1/10^9 */ | ||
| 815 | 49 | int rounds = (subrange * 2073) / 100; | |
| 816 | 49 | int i; | |
| 817 | 49 | uint64_t x = 0; | |
| 818 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 49 times.
|
49 | CHECK((range % subrange) == 0); |
| 819 |
2/2✓ Branch 0 taken 18403 times.
✓ Branch 1 taken 49 times.
|
18452 | for (i = 0; i < rounds; i++) { |
| 820 | 18403 | uint32_t r = secp256k1_testrand_int(range); | |
| 821 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 18403 times.
|
18403 | CHECK(r < range); |
| 822 | 18403 | r = r % subrange; | |
| 823 | 18403 | x |= (((uint64_t)1) << r); | |
| 824 | } | ||
| 825 | /* Test that the lower subrange bits of x are 1. */ | ||
| 826 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 49 times.
|
49 | CHECK(((~x) << (64 - subrange)) == 0); |
| 827 | 49 | } | |
| 828 | |||
| 829 | 1 | void run_rand_bits(void) { | |
| 830 | 1 | size_t b; | |
| 831 | 1 | test_rand_bits(1, 32); | |
| 832 |
2/2✓ Branch 1 taken 32 times.
✓ Branch 2 taken 1 times.
|
34 | for (b = 1; b <= 32; b++) { |
| 833 | 32 | test_rand_bits(0, b); | |
| 834 | } | ||
| 835 | 1 | } | |
| 836 | |||
| 837 | 1 | void run_rand_int(void) { | |
| 838 | 1 | static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432}; | |
| 839 | 1 | static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64}; | |
| 840 | 1 | unsigned int m, s; | |
| 841 |
2/2✓ Branch 0 taken 7 times.
✓ Branch 1 taken 1 times.
|
8 | for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) { |
| 842 |
2/2✓ Branch 0 taken 49 times.
✓ Branch 1 taken 7 times.
|
56 | for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) { |
| 843 | 49 | test_rand_int(ms[m] * ss[s], ss[s]); | |
| 844 | } | ||
| 845 | } | ||
| 846 | 1 | } | |
| 847 | |||
| 848 | /***** MODINV TESTS *****/ | ||
| 849 | |||
| 850 | /* Compute the modular inverse of (odd) x mod 2^64. */ | ||
| 851 | 13100 | uint64_t modinv2p64(uint64_t x) { | |
| 852 | /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See | ||
| 853 | * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for | ||
| 854 | * why. Start with L=0, for which it is true for every odd x that | ||
| 855 | * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */ | ||
| 856 | 13100 | int l; | |
| 857 | 13100 | uint64_t w = 1; | |
| 858 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 13100 times.
|
13100 | CHECK(x & 1); |
| 859 |
2/2✓ Branch 0 taken 78600 times.
✓ Branch 1 taken 13100 times.
|
91700 | for (l = 0; l < 6; ++l) w *= (2 - w*x); |
| 860 | 13100 | return w; | |
| 861 | } | ||
| 862 | |||
| 863 | /* compute out = (a*b) mod m; if b=NULL, treat b=1. | ||
| 864 | * | ||
| 865 | * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other | ||
| 866 | * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */ | ||
| 867 | 1033563 | void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) { | |
| 868 | 1033563 | uint16_t mul[32]; | |
| 869 | 1033563 | uint64_t c = 0; | |
| 870 | 1033563 | int i, j; | |
| 871 | 1033563 | int m_bitlen = 0; | |
| 872 | 1033563 | int mul_bitlen = 0; | |
| 873 | |||
| 874 |
2/2✓ Branch 0 taken 64600 times.
✓ Branch 1 taken 968963 times.
|
1033563 | if (b != NULL) { |
| 875 | /* Compute the product of a and b, and put it in mul. */ | ||
| 876 |
2/2✓ Branch 0 taken 2067200 times.
✓ Branch 1 taken 64600 times.
|
2131800 | for (i = 0; i < 32; ++i) { |
| 877 |
2/2✓ Branch 0 taken 16537600 times.
✓ Branch 1 taken 2067200 times.
|
18604800 | for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) { |
| 878 | 16537600 | c += (uint64_t)a[j] * b[i - j]; | |
| 879 | } | ||
| 880 | 2067200 | mul[i] = c & 0xFFFF; | |
| 881 | 2067200 | c >>= 16; | |
| 882 | } | ||
| 883 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64600 times.
|
64600 | CHECK(c == 0); |
| 884 | |||
| 885 | /* compute the highest set bit in mul */ | ||
| 886 |
2/2✓ Branch 0 taken 2100620 times.
✓ Branch 1 taken 269 times.
|
2100889 | for (i = 511; i >= 0; --i) { |
| 887 |
2/2✓ Branch 0 taken 2036289 times.
✓ Branch 1 taken 64331 times.
|
2100620 | if ((mul[i >> 4] >> (i & 15)) & 1) { |
| 888 | mul_bitlen = i; | ||
| 889 | break; | ||
| 890 | } | ||
| 891 | } | ||
| 892 | } else { | ||
| 893 | /* if b==NULL, set mul=a. */ | ||
| 894 | 968963 | memcpy(mul, a, 32); | |
| 895 | 968963 | memset(mul + 16, 0, 32); | |
| 896 | /* compute the highest set bit in mul */ | ||
| 897 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 143090345 times.
|
143090345 | for (i = 255; i >= 0; --i) { |
| 898 |
2/2✓ Branch 0 taken 142121382 times.
✓ Branch 1 taken 968963 times.
|
143090345 | if ((mul[i >> 4] >> (i & 15)) & 1) { |
| 899 | mul_bitlen = i; | ||
| 900 | break; | ||
| 901 | } | ||
| 902 | } | ||
| 903 | } | ||
| 904 | |||
| 905 | /* Compute the highest set bit in m. */ | ||
| 906 |
1/2✓ Branch 0 taken 145447558 times.
✗ Branch 1 not taken.
|
145447558 | for (i = 255; i >= 0; --i) { |
| 907 |
2/2✓ Branch 0 taken 144413995 times.
✓ Branch 1 taken 1033563 times.
|
145447558 | if ((m[i >> 4] >> (i & 15)) & 1) { |
| 908 | m_bitlen = i; | ||
| 909 | break; | ||
| 910 | } | ||
| 911 | } | ||
| 912 | |||
| 913 | /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */ | ||
| 914 |
2/2✓ Branch 0 taken 17989440 times.
✓ Branch 1 taken 1033563 times.
|
19023003 | for (i = mul_bitlen - m_bitlen; i >= 0; --i) { |
| 915 | uint16_t mul2[32]; | ||
| 916 | int64_t cs; | ||
| 917 | |||
| 918 | /* Compute mul2 = mul - m<<i. */ | ||
| 919 | cs = 0; /* accumulator */ | ||
| 920 |
2/2✓ Branch 0 taken 575662080 times.
✓ Branch 1 taken 17989440 times.
|
593651520 | for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */ |
| 921 | /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */ | ||
| 922 | uint16_t sub = 0; | ||
| 923 | int p; | ||
| 924 |
2/2✓ Branch 0 taken 9210593280 times.
✓ Branch 1 taken 575662080 times.
|
9786255360 | for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */ |
| 925 | 9210593280 | int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */ | |
| 926 |
2/2✓ Branch 0 taken 4605296640 times.
✓ Branch 1 taken 4605296640 times.
|
9210593280 | if (bitpos >= 0 && bitpos < 256) { |
| 927 | 4605296640 | sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p; | |
| 928 | } | ||
| 929 | } | ||
| 930 | /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */ | ||
| 931 | 575662080 | cs += mul[j]; | |
| 932 | 575662080 | cs -= sub; | |
| 933 | 575662080 | mul2[j] = (cs & 0xFFFF); | |
| 934 | 575662080 | cs >>= 16; | |
| 935 | } | ||
| 936 | /* If remainder of subtraction is 0, set mul = mul2. */ | ||
| 937 |
2/2✓ Branch 0 taken 9136091 times.
✓ Branch 1 taken 8853349 times.
|
17989440 | if (cs == 0) { |
| 938 | 9136091 | memcpy(mul, mul2, sizeof(mul)); | |
| 939 | } | ||
| 940 | } | ||
| 941 | /* Sanity check: test that all limbs higher than m's highest are zero */ | ||
| 942 |
2/2✓ Branch 0 taken 25098389 times.
✓ Branch 1 taken 1033563 times.
|
26131952 | for (i = (m_bitlen >> 4) + 1; i < 32; ++i) { |
| 943 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 25098389 times.
|
25098389 | CHECK(mul[i] == 0); |
| 944 | } | ||
| 945 | 1033563 | memcpy(out, mul, 32); | |
| 946 | 1033563 | } | |
| 947 | |||
| 948 | /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */ | ||
| 949 | 13100 | void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) { | |
| 950 | 13100 | int i; | |
| 951 | 13100 | memset(out->v, 0, sizeof(out->v)); | |
| 952 |
2/2✓ Branch 0 taken 3353600 times.
✓ Branch 1 taken 13100 times.
|
3366700 | for (i = 0; i < 256; ++i) { |
| 953 | 3353600 | out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30); | |
| 954 | } | ||
| 955 | 13100 | } | |
| 956 | |||
| 957 | /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */ | ||
| 958 | 26200 | void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) { | |
| 959 | 26200 | int i; | |
| 960 | 26200 | memset(out, 0, 32); | |
| 961 |
2/2✓ Branch 0 taken 6707200 times.
✓ Branch 1 taken 26200 times.
|
6733400 | for (i = 0; i < 256; ++i) { |
| 962 | 6707200 | out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15); | |
| 963 | } | ||
| 964 | 26200 | } | |
| 965 | |||
| 966 | /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */ | ||
| 967 | 6550 | void mutate_sign_signed30(secp256k1_modinv32_signed30* x) { | |
| 968 | 6550 | int i; | |
| 969 |
2/2✓ Branch 0 taken 104800 times.
✓ Branch 1 taken 6550 times.
|
111350 | for (i = 0; i < 16; ++i) { |
| 970 | 104800 | int pos = secp256k1_testrand_bits(3); | |
| 971 |
3/4✓ Branch 0 taken 43995 times.
✓ Branch 1 taken 60805 times.
✓ Branch 2 taken 43995 times.
✗ Branch 3 not taken.
|
104800 | if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) { |
| 972 | 43995 | x->v[pos] -= 0x40000000; | |
| 973 | 43995 | x->v[pos + 1] += 1; | |
| 974 |
4/4✓ Branch 0 taken 44511 times.
✓ Branch 1 taken 16294 times.
✓ Branch 2 taken 2239 times.
✓ Branch 3 taken 42272 times.
|
60805 | } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) { |
| 975 | 2239 | x->v[pos] += 0x40000000; | |
| 976 | 2239 | x->v[pos + 1] -= 1; | |
| 977 | } | ||
| 978 | } | ||
| 979 | 6550 | } | |
| 980 | |||
| 981 | /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */ | ||
| 982 | 6550 | void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { | |
| 983 | 6550 | uint16_t tmp[16]; | |
| 984 | 6550 | secp256k1_modinv32_signed30 x; | |
| 985 | 6550 | secp256k1_modinv32_modinfo m; | |
| 986 | 6550 | int i, vartime, nonzero; | |
| 987 | |||
| 988 | 6550 | uint16_to_signed30(&x, in); | |
| 989 | 6550 | nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0; | |
| 990 | 6550 | uint16_to_signed30(&m.modulus, mod); | |
| 991 | 6550 | mutate_sign_signed30(&m.modulus); | |
| 992 | |||
| 993 | /* compute 1/modulus mod 2^30 */ | ||
| 994 | 6550 | m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff; | |
| 995 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 6550 times.
|
6550 | CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1); |
| 996 | |||
| 997 |
2/2✓ Branch 0 taken 13100 times.
✓ Branch 1 taken 6550 times.
|
19650 | for (vartime = 0; vartime < 2; ++vartime) { |
| 998 | /* compute inverse */ | ||
| 999 |
2/2✓ Branch 0 taken 6550 times.
✓ Branch 1 taken 6550 times.
|
19650 | (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m); |
| 1000 | |||
| 1001 | /* produce output */ | ||
| 1002 | 13100 | signed30_to_uint16(out, &x); | |
| 1003 | |||
| 1004 | /* check if the inverse times the input is 1 (mod m), unless x is 0. */ | ||
| 1005 | 13100 | mulmod256(tmp, out, in, mod); | |
| 1006 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 13100 times.
|
13100 | CHECK(tmp[0] == nonzero); |
| 1007 |
3/4✗ Branch 0 not taken.
✓ Branch 1 taken 196500 times.
✓ Branch 4 taken 196500 times.
✓ Branch 5 taken 13100 times.
|
209600 | for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); |
| 1008 | |||
| 1009 | /* invert again */ | ||
| 1010 | 13100 | (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m); | |
| 1011 | |||
| 1012 | /* check if the result is equal to the input */ | ||
| 1013 | 13100 | signed30_to_uint16(tmp, &x); | |
| 1014 |
3/4✗ Branch 1 not taken.
✓ Branch 2 taken 209600 times.
✓ Branch 5 taken 209600 times.
✓ Branch 6 taken 13100 times.
|
235800 | for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); |
| 1015 | } | ||
| 1016 | 6550 | } | |
| 1017 | |||
| 1018 | #ifdef SECP256K1_WIDEMUL_INT128 | ||
| 1019 | /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */ | ||
| 1020 | 13100 | void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) { | |
| 1021 | 13100 | int i; | |
| 1022 | 13100 | memset(out->v, 0, sizeof(out->v)); | |
| 1023 |
2/2✓ Branch 0 taken 3353600 times.
✓ Branch 1 taken 13100 times.
|
3366700 | for (i = 0; i < 256; ++i) { |
| 1024 | 3353600 | out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62); | |
| 1025 | } | ||
| 1026 | 13100 | } | |
| 1027 | |||
| 1028 | /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */ | ||
| 1029 | 26200 | void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) { | |
| 1030 | 26200 | int i; | |
| 1031 | 26200 | memset(out, 0, 32); | |
| 1032 |
2/2✓ Branch 0 taken 6707200 times.
✓ Branch 1 taken 26200 times.
|
6733400 | for (i = 0; i < 256; ++i) { |
| 1033 | 6707200 | out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15); | |
| 1034 | } | ||
| 1035 | 26200 | } | |
| 1036 | |||
| 1037 | /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */ | ||
| 1038 | 6550 | void mutate_sign_signed62(secp256k1_modinv64_signed62* x) { | |
| 1039 | 6550 | static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); | |
| 1040 | 6550 | int i; | |
| 1041 |
2/2✓ Branch 0 taken 52400 times.
✓ Branch 1 taken 6550 times.
|
58950 | for (i = 0; i < 8; ++i) { |
| 1042 | 52400 | int pos = secp256k1_testrand_bits(2); | |
| 1043 |
3/4✓ Branch 0 taken 31676 times.
✓ Branch 1 taken 20724 times.
✓ Branch 2 taken 31676 times.
✗ Branch 3 not taken.
|
52400 | if (x->v[pos] > 0 && x->v[pos + 1] <= M62) { |
| 1044 | 31676 | x->v[pos] -= (M62 + 1); | |
| 1045 | 31676 | x->v[pos + 1] += 1; | |
| 1046 |
3/4✓ Branch 0 taken 18610 times.
✓ Branch 1 taken 2114 times.
✓ Branch 2 taken 18610 times.
✗ Branch 3 not taken.
|
20724 | } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) { |
| 1047 | 18610 | x->v[pos] += (M62 + 1); | |
| 1048 | 18610 | x->v[pos + 1] -= 1; | |
| 1049 | } | ||
| 1050 | } | ||
| 1051 | 6550 | } | |
| 1052 | |||
| 1053 | /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */ | ||
| 1054 | 6550 | void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { | |
| 1055 | 6550 | static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); | |
| 1056 | 6550 | uint16_t tmp[16]; | |
| 1057 | 6550 | secp256k1_modinv64_signed62 x; | |
| 1058 | 6550 | secp256k1_modinv64_modinfo m; | |
| 1059 | 6550 | int i, vartime, nonzero; | |
| 1060 | |||
| 1061 | 6550 | uint16_to_signed62(&x, in); | |
| 1062 | 6550 | nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0; | |
| 1063 | 6550 | uint16_to_signed62(&m.modulus, mod); | |
| 1064 | 6550 | mutate_sign_signed62(&m.modulus); | |
| 1065 | |||
| 1066 | /* compute 1/modulus mod 2^62 */ | ||
| 1067 | 6550 | m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62; | |
| 1068 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 6550 times.
|
6550 | CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1); |
| 1069 | |||
| 1070 |
2/2✓ Branch 0 taken 13100 times.
✓ Branch 1 taken 6550 times.
|
19650 | for (vartime = 0; vartime < 2; ++vartime) { |
| 1071 | /* compute inverse */ | ||
| 1072 |
2/2✓ Branch 0 taken 6550 times.
✓ Branch 1 taken 6550 times.
|
19650 | (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m); |
| 1073 | |||
| 1074 | /* produce output */ | ||
| 1075 | 13100 | signed62_to_uint16(out, &x); | |
| 1076 | |||
| 1077 | /* check if the inverse times the input is 1 (mod m), unless x is 0. */ | ||
| 1078 | 13100 | mulmod256(tmp, out, in, mod); | |
| 1079 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 13100 times.
|
13100 | CHECK(tmp[0] == nonzero); |
| 1080 |
3/4✗ Branch 0 not taken.
✓ Branch 1 taken 196500 times.
✓ Branch 4 taken 196500 times.
✓ Branch 5 taken 13100 times.
|
209600 | for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); |
| 1081 | |||
| 1082 | /* invert again */ | ||
| 1083 | 13100 | (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m); | |
| 1084 | |||
| 1085 | /* check if the result is equal to the input */ | ||
| 1086 | 13100 | signed62_to_uint16(tmp, &x); | |
| 1087 |
3/4✗ Branch 1 not taken.
✓ Branch 2 taken 209600 times.
✓ Branch 5 taken 209600 times.
✓ Branch 6 taken 13100 times.
|
235800 | for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); |
| 1088 | } | ||
| 1089 | 6550 | } | |
| 1090 | #endif | ||
| 1091 | |||
| 1092 | /* test if a and b are coprime */ | ||
| 1093 | 7945 | int coprime(const uint16_t* a, const uint16_t* b) { | |
| 1094 | 7945 | uint16_t x[16], y[16], t[16]; | |
| 1095 | 7945 | int i; | |
| 1096 | 7945 | int iszero; | |
| 1097 | 7945 | memcpy(x, a, 32); | |
| 1098 | 7945 | memcpy(y, b, 32); | |
| 1099 | |||
| 1100 | /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */ | ||
| 1101 | 1929981 | while (1) { | |
| 1102 | 968963 | iszero = 1; | |
| 1103 |
2/2✓ Branch 0 taken 1092284 times.
✓ Branch 1 taken 7945 times.
|
1100229 | for (i = 0; i < 16; ++i) { |
| 1104 |
2/2✓ Branch 0 taken 131266 times.
✓ Branch 1 taken 961018 times.
|
1092284 | if (x[i] != 0) { |
| 1105 | iszero = 0; | ||
| 1106 | break; | ||
| 1107 | } | ||
| 1108 | } | ||
| 1109 |
2/2✓ Branch 0 taken 961018 times.
✓ Branch 1 taken 7945 times.
|
968963 | if (iszero) break; |
| 1110 | 961018 | mulmod256(t, y, NULL, x); | |
| 1111 | 961018 | memcpy(y, x, 32); | |
| 1112 | 961018 | memcpy(x, t, 32); | |
| 1113 | } | ||
| 1114 | |||
| 1115 | /* return whether y=1 */ | ||
| 1116 |
2/2✓ Branch 0 taken 6400 times.
✓ Branch 1 taken 1545 times.
|
7945 | if (y[0] != 1) return 0; |
| 1117 |
2/2✓ Branch 0 taken 96000 times.
✓ Branch 1 taken 6400 times.
|
102400 | for (i = 1; i < 16; ++i) { |
| 1118 |
1/2✓ Branch 0 taken 96000 times.
✗ Branch 1 not taken.
|
96000 | if (y[i] != 0) return 0; |
| 1119 | } | ||
| 1120 | return 1; | ||
| 1121 | } | ||
| 1122 | |||
| 1123 | 1 | void run_modinv_tests(void) { | |
| 1124 | /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */ | ||
| 1125 | 1 | static const uint16_t CASES[][3][16] = { | |
| 1126 | /* Test cases triggering edge cases in divsteps */ | ||
| 1127 | |||
| 1128 | /* Test case known to need 713 divsteps */ | ||
| 1129 | {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477, | ||
| 1130 | 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e}, | ||
| 1131 | {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54, | ||
| 1132 | 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b}, | ||
| 1133 | {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab, | ||
| 1134 | 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}}, | ||
| 1135 | /* Test case known to need 589 divsteps, reaching delta=-140 and | ||
| 1136 | delta=141. */ | ||
| 1137 | {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9, | ||
| 1138 | 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c}, | ||
| 1139 | {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da, | ||
| 1140 | 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3}, | ||
| 1141 | {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0, | ||
| 1142 | 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}}, | ||
| 1143 | /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */ | ||
| 1144 | {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94, | ||
| 1145 | 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040}, | ||
| 1146 | {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d, | ||
| 1147 | 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3}, | ||
| 1148 | {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005, | ||
| 1149 | 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}}, | ||
| 1150 | /* example needing 713 divsteps; delta=-2..3 */ | ||
| 1151 | {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9, | ||
| 1152 | 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d}, | ||
| 1153 | {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772, | ||
| 1154 | 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298}, | ||
| 1155 | {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797, | ||
| 1156 | 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}}, | ||
| 1157 | /* example needing 713 divsteps; delta=-2..3 */ | ||
| 1158 | {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850, | ||
| 1159 | 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78}, | ||
| 1160 | {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c, | ||
| 1161 | 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2}, | ||
| 1162 | {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358, | ||
| 1163 | 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}}, | ||
| 1164 | /* example needing 713 divsteps; delta=-2..3 */ | ||
| 1165 | {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9, | ||
| 1166 | 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc}, | ||
| 1167 | {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e, | ||
| 1168 | 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29}, | ||
| 1169 | {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da, | ||
| 1170 | 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}}, | ||
| 1171 | /* example reaching delta=-64..65; 661 divsteps */ | ||
| 1172 | {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2, | ||
| 1173 | 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530}, | ||
| 1174 | {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16, | ||
| 1175 | 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598}, | ||
| 1176 | {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f, | ||
| 1177 | 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}}, | ||
| 1178 | /* example reaching delta=-64..65; 661 divsteps */ | ||
| 1179 | {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717, | ||
| 1180 | 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a}, | ||
| 1181 | {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94, | ||
| 1182 | 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108}, | ||
| 1183 | {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187, | ||
| 1184 | 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}}, | ||
| 1185 | /* example reaching delta=-64..65; 661 divsteps */ | ||
| 1186 | {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb, | ||
| 1187 | 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a}, | ||
| 1188 | {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6, | ||
| 1189 | 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230}, | ||
| 1190 | {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb, | ||
| 1191 | 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}}, | ||
| 1192 | /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */ | ||
| 1193 | {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee, | ||
| 1194 | 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc}, | ||
| 1195 | {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005, | ||
| 1196 | 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67}, | ||
| 1197 | {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572, | ||
| 1198 | 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}}, | ||
| 1199 | /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ | ||
| 1200 | {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185, | ||
| 1201 | 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d}, | ||
| 1202 | {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde, | ||
| 1203 | 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5}, | ||
| 1204 | {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0, | ||
| 1205 | 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}}, | ||
| 1206 | /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ | ||
| 1207 | {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7, | ||
| 1208 | 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50}, | ||
| 1209 | {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a, | ||
| 1210 | 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24}, | ||
| 1211 | {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb, | ||
| 1212 | 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}}, | ||
| 1213 | /* example doing 446 (f,g/2) steps; 523 divsteps */ | ||
| 1214 | {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf, | ||
| 1215 | 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a}, | ||
| 1216 | {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f, | ||
| 1217 | 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32}, | ||
| 1218 | {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c, | ||
| 1219 | 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}}, | ||
| 1220 | /* example doing 446 (f,g/2) steps; 523 divsteps */ | ||
| 1221 | {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd, | ||
| 1222 | 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7}, | ||
| 1223 | {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283, | ||
| 1224 | 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087}, | ||
| 1225 | {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8, | ||
| 1226 | 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}}, | ||
| 1227 | /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */ | ||
| 1228 | {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878, | ||
| 1229 | 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5}, | ||
| 1230 | {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703, | ||
| 1231 | 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b}, | ||
| 1232 | {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d, | ||
| 1233 | 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}}, | ||
| 1234 | /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */ | ||
| 1235 | {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836, | ||
| 1236 | 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c}, | ||
| 1237 | {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6, | ||
| 1238 | 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62}, | ||
| 1239 | {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344, | ||
| 1240 | 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}}, | ||
| 1241 | /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */ | ||
| 1242 | {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5, | ||
| 1243 | 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5}, | ||
| 1244 | {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153, | ||
| 1245 | 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032}, | ||
| 1246 | {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2, | ||
| 1247 | 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}}, | ||
| 1248 | /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */ | ||
| 1249 | {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c, | ||
| 1250 | 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f}, | ||
| 1251 | {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717, | ||
| 1252 | 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b}, | ||
| 1253 | {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951, | ||
| 1254 | 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}}, | ||
| 1255 | |||
| 1256 | /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */ | ||
| 1257 | |||
| 1258 | /* example needing 590 divsteps; delta=-5/2..7/2 */ | ||
| 1259 | {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a, | ||
| 1260 | 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e}, | ||
| 1261 | {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0, | ||
| 1262 | 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8}, | ||
| 1263 | {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54, | ||
| 1264 | 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}}, | ||
| 1265 | /* example needing 590 divsteps; delta=-3/2..5/2 */ | ||
| 1266 | {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e, | ||
| 1267 | 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d}, | ||
| 1268 | {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a, | ||
| 1269 | 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7}, | ||
| 1270 | {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451, | ||
| 1271 | 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}}, | ||
| 1272 | /* example needing 590 divsteps; delta=-3/2..5/2 */ | ||
| 1273 | {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11, | ||
| 1274 | 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40}, | ||
| 1275 | {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805, | ||
| 1276 | 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9}, | ||
| 1277 | {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7, | ||
| 1278 | 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}}, | ||
| 1279 | /* example needing 590 divsteps; delta=-5/2..7/2 */ | ||
| 1280 | {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce, | ||
| 1281 | 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1}, | ||
| 1282 | {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba, | ||
| 1283 | 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5}, | ||
| 1284 | {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c, | ||
| 1285 | 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}}, | ||
| 1286 | /* example needing 590 divsteps; delta=-3/2..5/2 */ | ||
| 1287 | {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7, | ||
| 1288 | 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82}, | ||
| 1289 | {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712, | ||
| 1290 | 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89}, | ||
| 1291 | {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919, | ||
| 1292 | 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}}, | ||
| 1293 | /* example reaching delta=-127/2..129/2; 571 divsteps */ | ||
| 1294 | {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681, | ||
| 1295 | 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56}, | ||
| 1296 | {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868, | ||
| 1297 | 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f}, | ||
| 1298 | {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db, | ||
| 1299 | 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}}, | ||
| 1300 | /* example reaching delta=-127/2..129/2; 571 divsteps */ | ||
| 1301 | {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7, | ||
| 1302 | 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c}, | ||
| 1303 | {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1, | ||
| 1304 | 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36}, | ||
| 1305 | {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074, | ||
| 1306 | 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}}, | ||
| 1307 | /* example reaching delta=-127/2..129/2; 571 divsteps */ | ||
| 1308 | {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d, | ||
| 1309 | 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56}, | ||
| 1310 | {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669, | ||
| 1311 | 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f}, | ||
| 1312 | {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0, | ||
| 1313 | 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}}, | ||
| 1314 | /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ | ||
| 1315 | {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a, | ||
| 1316 | 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14}, | ||
| 1317 | {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae, | ||
| 1318 | 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943}, | ||
| 1319 | {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa, | ||
| 1320 | 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}}, | ||
| 1321 | /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ | ||
| 1322 | {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8, | ||
| 1323 | 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4}, | ||
| 1324 | {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332, | ||
| 1325 | 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4}, | ||
| 1326 | {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9, | ||
| 1327 | 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}}, | ||
| 1328 | /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ | ||
| 1329 | {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982, | ||
| 1330 | 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14}, | ||
| 1331 | {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d, | ||
| 1332 | 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943}, | ||
| 1333 | {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495, | ||
| 1334 | 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}}, | ||
| 1335 | /* example doing 453 (f,g/2) steps; 514 divsteps */ | ||
| 1336 | {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae, | ||
| 1337 | 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448}, | ||
| 1338 | {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089, | ||
| 1339 | 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7}, | ||
| 1340 | {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241, | ||
| 1341 | 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}}, | ||
| 1342 | /* example doing 453 (f,g/2) steps; 514 divsteps */ | ||
| 1343 | {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1, | ||
| 1344 | 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2}, | ||
| 1345 | {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5, | ||
| 1346 | 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823}, | ||
| 1347 | {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159, | ||
| 1348 | 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}}, | ||
| 1349 | /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ | ||
| 1350 | {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877, | ||
| 1351 | 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19}, | ||
| 1352 | {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49, | ||
| 1353 | 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9}, | ||
| 1354 | {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e, | ||
| 1355 | 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}}, | ||
| 1356 | /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ | ||
| 1357 | {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3, | ||
| 1358 | 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b}, | ||
| 1359 | {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4, | ||
| 1360 | 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf}, | ||
| 1361 | {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042, | ||
| 1362 | 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}}, | ||
| 1363 | /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */ | ||
| 1364 | {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6, | ||
| 1365 | 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42}, | ||
| 1366 | {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936, | ||
| 1367 | 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305}, | ||
| 1368 | {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a, | ||
| 1369 | 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}}, | ||
| 1370 | /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */ | ||
| 1371 | {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52, | ||
| 1372 | 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359}, | ||
| 1373 | {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a, | ||
| 1374 | 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f}, | ||
| 1375 | {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9, | ||
| 1376 | 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}}, | ||
| 1377 | |||
| 1378 | /* Test cases with the group order as modulus. */ | ||
| 1379 | |||
| 1380 | /* Test case with the group order as modulus, needing 635 divsteps. */ | ||
| 1381 | {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120, | ||
| 1382 | 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686}, | ||
| 1383 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1384 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1385 | {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc, | ||
| 1386 | 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}}, | ||
| 1387 | /* example with group size as modulus needing 631 divsteps */ | ||
| 1388 | {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7, | ||
| 1389 | 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b}, | ||
| 1390 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1391 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1392 | {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb, | ||
| 1393 | 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}}, | ||
| 1394 | /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */ | ||
| 1395 | {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce, | ||
| 1396 | 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf}, | ||
| 1397 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1398 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1399 | {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32, | ||
| 1400 | 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}}, | ||
| 1401 | /* Test case with the group size as modulus, needing 981 divsteps with | ||
| 1402 | broken eta handling. */ | ||
| 1403 | {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae, | ||
| 1404 | 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2}, | ||
| 1405 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1406 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1407 | {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126, | ||
| 1408 | 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}}, | ||
| 1409 | /* Test case with the group size as modulus, input = 0. */ | ||
| 1410 | {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1411 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, | ||
| 1412 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1413 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1414 | {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1415 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, | ||
| 1416 | /* Test case with the group size as modulus, input = 1. */ | ||
| 1417 | {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1418 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, | ||
| 1419 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1420 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1421 | {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1422 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, | ||
| 1423 | /* Test case with the group size as modulus, input = 2. */ | ||
| 1424 | {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1425 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, | ||
| 1426 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1427 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1428 | {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57, | ||
| 1429 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, | ||
| 1430 | /* Test case with the group size as modulus, input = group - 1. */ | ||
| 1431 | {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1432 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1433 | {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1434 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1435 | {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, | ||
| 1436 | 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, | ||
| 1437 | |||
| 1438 | /* Test cases with the field size as modulus. */ | ||
| 1439 | |||
| 1440 | /* Test case with the field size as modulus, needing 637 divsteps. */ | ||
| 1441 | {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688, | ||
| 1442 | 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e}, | ||
| 1443 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1444 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1445 | {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701, | ||
| 1446 | 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}}, | ||
| 1447 | /* example with field size as modulus needing 637 divsteps */ | ||
| 1448 | {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff, | ||
| 1449 | 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8}, | ||
| 1450 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1451 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1452 | {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce, | ||
| 1453 | 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}}, | ||
| 1454 | /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */ | ||
| 1455 | {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e, | ||
| 1456 | 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f}, | ||
| 1457 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1458 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1459 | {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291, | ||
| 1460 | 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}}, | ||
| 1461 | /* Test case with the field size as modulus, needing 935 divsteps with | ||
| 1462 | broken eta handling. */ | ||
| 1463 | {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8, | ||
| 1464 | 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93}, | ||
| 1465 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1466 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1467 | {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed, | ||
| 1468 | 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}}, | ||
| 1469 | /* Test case with the field size as modulus, input = 0. */ | ||
| 1470 | {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1471 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, | ||
| 1472 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1473 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1474 | {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1475 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, | ||
| 1476 | /* Test case with the field size as modulus, input = 1. */ | ||
| 1477 | {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1478 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, | ||
| 1479 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1480 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1481 | {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1482 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, | ||
| 1483 | /* Test case with the field size as modulus, input = 2. */ | ||
| 1484 | {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, | ||
| 1485 | 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, | ||
| 1486 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1487 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1488 | {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1489 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, | ||
| 1490 | /* Test case with the field size as modulus, input = field - 1. */ | ||
| 1491 | {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1492 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1493 | {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1494 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, | ||
| 1495 | {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 1496 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, | ||
| 1497 | |||
| 1498 | /* Selected from a large number of random inputs to reach small/large | ||
| 1499 | * d/e values in various configurations. */ | ||
| 1500 | {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70, | ||
| 1501 | 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30}, | ||
| 1502 | {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8, | ||
| 1503 | 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff}, | ||
| 1504 | {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842, | ||
| 1505 | 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}}, | ||
| 1506 | {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98, | ||
| 1507 | 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e}, | ||
| 1508 | {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43, | ||
| 1509 | 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6}, | ||
| 1510 | {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae, | ||
| 1511 | 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}}, | ||
| 1512 | {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5, | ||
| 1513 | 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac}, | ||
| 1514 | {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969, | ||
| 1515 | 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb}, | ||
| 1516 | {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512, | ||
| 1517 | 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}}, | ||
| 1518 | {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c, | ||
| 1519 | 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8}, | ||
| 1520 | {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702, | ||
| 1521 | 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2}, | ||
| 1522 | {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce, | ||
| 1523 | 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}}, | ||
| 1524 | {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737, | ||
| 1525 | 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4}, | ||
| 1526 | {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4, | ||
| 1527 | 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff}, | ||
| 1528 | {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33, | ||
| 1529 | 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}}, | ||
| 1530 | {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb, | ||
| 1531 | 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97}, | ||
| 1532 | {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311, | ||
| 1533 | 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640}, | ||
| 1534 | {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7, | ||
| 1535 | 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}}, | ||
| 1536 | {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd, | ||
| 1537 | 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576}, | ||
| 1538 | {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621, | ||
| 1539 | 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64}, | ||
| 1540 | {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821, | ||
| 1541 | 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}}, | ||
| 1542 | {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89, | ||
| 1543 | 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e}, | ||
| 1544 | {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa, | ||
| 1545 | 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5}, | ||
| 1546 | {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0, | ||
| 1547 | 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}}, | ||
| 1548 | {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3, | ||
| 1549 | 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c}, | ||
| 1550 | {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd, | ||
| 1551 | 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff}, | ||
| 1552 | {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c, | ||
| 1553 | 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}}, | ||
| 1554 | {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f, | ||
| 1555 | 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a}, | ||
| 1556 | {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b, | ||
| 1557 | 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff}, | ||
| 1558 | {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf, | ||
| 1559 | 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}}, | ||
| 1560 | {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49, | ||
| 1561 | 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe}, | ||
| 1562 | {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8, | ||
| 1563 | 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff}, | ||
| 1564 | {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac, | ||
| 1565 | 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}}, | ||
| 1566 | {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e, | ||
| 1567 | 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e}, | ||
| 1568 | {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba, | ||
| 1569 | 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77}, | ||
| 1570 | {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569, | ||
| 1571 | 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}}, | ||
| 1572 | {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611, | ||
| 1573 | 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d}, | ||
| 1574 | {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a, | ||
| 1575 | 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff}, | ||
| 1576 | {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376, | ||
| 1577 | 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}}, | ||
| 1578 | {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b, | ||
| 1579 | 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4}, | ||
| 1580 | {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016, | ||
| 1581 | 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff}, | ||
| 1582 | {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f, | ||
| 1583 | 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}}, | ||
| 1584 | {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7, | ||
| 1585 | 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8}, | ||
| 1586 | {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104, | ||
| 1587 | 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff}, | ||
| 1588 | {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405, | ||
| 1589 | 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}}, | ||
| 1590 | {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033, | ||
| 1591 | 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914}, | ||
| 1592 | {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346, | ||
| 1593 | 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3}, | ||
| 1594 | {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c, | ||
| 1595 | 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}}, | ||
| 1596 | {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c, | ||
| 1597 | 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025}, | ||
| 1598 | {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb, | ||
| 1599 | 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93}, | ||
| 1600 | {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744, | ||
| 1601 | 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}}, | ||
| 1602 | {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904, | ||
| 1603 | 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94}, | ||
| 1604 | {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94, | ||
| 1605 | 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b}, | ||
| 1606 | {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e, | ||
| 1607 | 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}}, | ||
| 1608 | {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4, | ||
| 1609 | 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f}, | ||
| 1610 | {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550, | ||
| 1611 | 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97}, | ||
| 1612 | {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618, | ||
| 1613 | 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}}, | ||
| 1614 | {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7, | ||
| 1615 | 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166}, | ||
| 1616 | {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54, | ||
| 1617 | 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa}, | ||
| 1618 | {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5, | ||
| 1619 | 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}}, | ||
| 1620 | {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a, | ||
| 1621 | 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1}, | ||
| 1622 | {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328, | ||
| 1623 | 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb}, | ||
| 1624 | {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857, | ||
| 1625 | 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}}, | ||
| 1626 | {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413, | ||
| 1627 | 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3}, | ||
| 1628 | {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92, | ||
| 1629 | 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c}, | ||
| 1630 | {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f, | ||
| 1631 | 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}}, | ||
| 1632 | {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe, | ||
| 1633 | 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d}, | ||
| 1634 | {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e, | ||
| 1635 | 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb}, | ||
| 1636 | {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424, | ||
| 1637 | 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}}, | ||
| 1638 | {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56, | ||
| 1639 | 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428}, | ||
| 1640 | {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998, | ||
| 1641 | 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff}, | ||
| 1642 | {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8, | ||
| 1643 | 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}}, | ||
| 1644 | {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9, | ||
| 1645 | 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d}, | ||
| 1646 | {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e, | ||
| 1647 | 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a}, | ||
| 1648 | {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614, | ||
| 1649 | 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}}, | ||
| 1650 | {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7, | ||
| 1651 | 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067}, | ||
| 1652 | {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b, | ||
| 1653 | 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185}, | ||
| 1654 | {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42, | ||
| 1655 | 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}}, | ||
| 1656 | {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74, | ||
| 1657 | 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4}, | ||
| 1658 | {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781, | ||
| 1659 | 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351}, | ||
| 1660 | {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65, | ||
| 1661 | 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}}, | ||
| 1662 | {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced, | ||
| 1663 | 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79}, | ||
| 1664 | {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c, | ||
| 1665 | 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0}, | ||
| 1666 | {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145, | ||
| 1667 | 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}}, | ||
| 1668 | {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a, | ||
| 1669 | 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096}, | ||
| 1670 | {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf, | ||
| 1671 | 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628}, | ||
| 1672 | {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da, | ||
| 1673 | 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}}, | ||
| 1674 | {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91, | ||
| 1675 | 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4}, | ||
| 1676 | {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5, | ||
| 1677 | 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad}, | ||
| 1678 | {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41, | ||
| 1679 | 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}}, | ||
| 1680 | {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224, | ||
| 1681 | 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000}, | ||
| 1682 | {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183, | ||
| 1683 | 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000}, | ||
| 1684 | {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3, | ||
| 1685 | 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}}, | ||
| 1686 | {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b, | ||
| 1687 | 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f}, | ||
| 1688 | {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35, | ||
| 1689 | 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb}, | ||
| 1690 | {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3, | ||
| 1691 | 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}}, | ||
| 1692 | {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995, | ||
| 1693 | 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c}, | ||
| 1694 | {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60, | ||
| 1695 | 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb}, | ||
| 1696 | {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134, | ||
| 1697 | 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}}, | ||
| 1698 | {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6, | ||
| 1699 | 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097}, | ||
| 1700 | {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40, | ||
| 1701 | 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0}, | ||
| 1702 | {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0, | ||
| 1703 | 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}}, | ||
| 1704 | {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82, | ||
| 1705 | 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14}, | ||
| 1706 | {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee, | ||
| 1707 | 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80}, | ||
| 1708 | {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051, | ||
| 1709 | 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}} | ||
| 1710 | }; | ||
| 1711 | |||
| 1712 | 1 | int i, j, ok; | |
| 1713 | |||
| 1714 | /* Test known inputs/outputs */ | ||
| 1715 |
2/2✓ Branch 0 taken 86 times.
✓ Branch 1 taken 1 times.
|
87 | for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) { |
| 1716 | 86 | uint16_t out[16]; | |
| 1717 | 86 | test_modinv32_uint16(out, CASES[i][0], CASES[i][1]); | |
| 1718 |
3/4✗ Branch 1 not taken.
✓ Branch 2 taken 1376 times.
✓ Branch 5 taken 1376 times.
✓ Branch 6 taken 86 times.
|
1548 | for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); |
| 1719 | #ifdef SECP256K1_WIDEMUL_INT128 | ||
| 1720 | 86 | test_modinv64_uint16(out, CASES[i][0], CASES[i][1]); | |
| 1721 |
3/4✗ Branch 1 not taken.
✓ Branch 2 taken 1376 times.
✓ Branch 5 taken 1376 times.
✓ Branch 6 taken 86 times.
|
1548 | for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); |
| 1722 | #endif | ||
| 1723 | } | ||
| 1724 | |||
| 1725 |
2/2✓ Branch 0 taken 6400 times.
✓ Branch 1 taken 1 times.
|
6401 | for (i = 0; i < 100 * count; ++i) { |
| 1726 | /* 256-bit numbers in 16-uint16_t's notation */ | ||
| 1727 | 7945 | static const uint16_t ZERO[16] = {0}; | |
| 1728 | 7945 | uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */ | |
| 1729 | 7945 | uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */ | |
| 1730 | 7945 | uint16_t id[16]; /* the inverse of xd mod md */ | |
| 1731 | |||
| 1732 | /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */ | ||
| 1733 | 7945 | do { | |
| 1734 | /* generate random xd and md (with many subsequent 0s and 1s) */ | ||
| 1735 | 7945 | secp256k1_testrand256_test((unsigned char*)xd); | |
| 1736 | 7945 | secp256k1_testrand256_test((unsigned char*)md); | |
| 1737 | 7945 | md[0] |= 1; /* modulus must be odd */ | |
| 1738 | /* If modulus is 1, find another one. */ | ||
| 1739 | 7945 | ok = md[0] != 1; | |
| 1740 |
2/2✓ Branch 0 taken 119175 times.
✓ Branch 1 taken 7945 times.
|
127120 | for (j = 1; j < 16; ++j) ok |= md[j] != 0; |
| 1741 | 7945 | mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */ | |
| 1742 |
3/4✗ Branch 0 not taken.
✓ Branch 1 taken 7945 times.
✓ Branch 3 taken 1545 times.
✓ Branch 4 taken 6400 times.
|
7945 | } while (!(ok && coprime(xd, md))); |
| 1743 | |||
| 1744 | 6400 | test_modinv32_uint16(id, xd, md); | |
| 1745 | #ifdef SECP256K1_WIDEMUL_INT128 | ||
| 1746 | 6400 | test_modinv64_uint16(id, xd, md); | |
| 1747 | #endif | ||
| 1748 | |||
| 1749 | /* In a few cases, also test with input=0 */ | ||
| 1750 |
2/2✓ Branch 0 taken 64 times.
✓ Branch 1 taken 6336 times.
|
6400 | if (i < count) { |
| 1751 | 64 | test_modinv32_uint16(id, ZERO, md); | |
| 1752 | #ifdef SECP256K1_WIDEMUL_INT128 | ||
| 1753 | 64 | test_modinv64_uint16(id, ZERO, md); | |
| 1754 | #endif | ||
| 1755 | } | ||
| 1756 | } | ||
| 1757 | 1 | } | |
| 1758 | |||
| 1759 | /***** SCALAR TESTS *****/ | ||
| 1760 | |||
| 1761 | |||
| 1762 | 8192 | void scalar_test(void) { | |
| 1763 | 8192 | secp256k1_scalar s; | |
| 1764 | 8192 | secp256k1_scalar s1; | |
| 1765 | 8192 | secp256k1_scalar s2; | |
| 1766 | 8192 | unsigned char c[32]; | |
| 1767 | |||
| 1768 | /* Set 's' to a random scalar, with value 'snum'. */ | ||
| 1769 | 8192 | random_scalar_order_test(&s); | |
| 1770 | |||
| 1771 | /* Set 's1' to a random scalar, with value 's1num'. */ | ||
| 1772 | 8192 | random_scalar_order_test(&s1); | |
| 1773 | |||
| 1774 | /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */ | ||
| 1775 | 8192 | random_scalar_order_test(&s2); | |
| 1776 | 8192 | secp256k1_scalar_get_b32(c, &s2); | |
| 1777 | |||
| 1778 | { | ||
| 1779 | 8192 | int i; | |
| 1780 | /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */ | ||
| 1781 | 8192 | secp256k1_scalar n; | |
| 1782 | 8192 | secp256k1_scalar_set_int(&n, 0); | |
| 1783 |
2/2✓ Branch 0 taken 524288 times.
✓ Branch 1 taken 8192 times.
|
532480 | for (i = 0; i < 256; i += 4) { |
| 1784 | 524288 | secp256k1_scalar t; | |
| 1785 | 524288 | int j; | |
| 1786 | 524288 | secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4)); | |
| 1787 |
2/2✓ Branch 0 taken 2097152 times.
✓ Branch 1 taken 524288 times.
|
2621440 | for (j = 0; j < 4; j++) { |
| 1788 | 2097152 | secp256k1_scalar_add(&n, &n, &n); | |
| 1789 | } | ||
| 1790 | 524288 | secp256k1_scalar_add(&n, &n, &t); | |
| 1791 | } | ||
| 1792 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&n, &s)); |
| 1793 | } | ||
| 1794 | |||
| 1795 | { | ||
| 1796 | /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */ | ||
| 1797 | 8192 | secp256k1_scalar n; | |
| 1798 | 8192 | int i = 0; | |
| 1799 | 8192 | secp256k1_scalar_set_int(&n, 0); | |
| 1800 |
2/2✓ Branch 0 taken 266759 times.
✓ Branch 1 taken 8192 times.
|
274951 | while (i < 256) { |
| 1801 | 266759 | secp256k1_scalar t; | |
| 1802 | 266759 | int j; | |
| 1803 | 266759 | int now = secp256k1_testrand_int(15) + 1; | |
| 1804 |
2/2✓ Branch 0 taken 7220 times.
✓ Branch 1 taken 259539 times.
|
266759 | if (now + i > 256) { |
| 1805 | 7220 | now = 256 - i; | |
| 1806 | } | ||
| 1807 | 266759 | secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now)); | |
| 1808 |
2/2✓ Branch 0 taken 2097152 times.
✓ Branch 1 taken 266759 times.
|
2363911 | for (j = 0; j < now; j++) { |
| 1809 | 2097152 | secp256k1_scalar_add(&n, &n, &n); | |
| 1810 | } | ||
| 1811 | 266759 | secp256k1_scalar_add(&n, &n, &t); | |
| 1812 | 266759 | i += now; | |
| 1813 | } | ||
| 1814 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&n, &s)); |
| 1815 | } | ||
| 1816 | |||
| 1817 | { | ||
| 1818 | /* test secp256k1_scalar_shr_int */ | ||
| 1819 | 8192 | secp256k1_scalar r; | |
| 1820 | 8192 | int i; | |
| 1821 | 8192 | random_scalar_order_test(&r); | |
| 1822 |
2/2✓ Branch 1 taken 819200 times.
✓ Branch 2 taken 8192 times.
|
835584 | for (i = 0; i < 100; ++i) { |
| 1823 | 819200 | int low; | |
| 1824 | 819200 | int shift = 1 + secp256k1_testrand_int(15); | |
| 1825 | 819200 | int expected = r.d[0] % (1 << shift); | |
| 1826 | 819200 | low = secp256k1_scalar_shr_int(&r, shift); | |
| 1827 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 819200 times.
|
819200 | CHECK(expected == low); |
| 1828 | } | ||
| 1829 | } | ||
| 1830 | |||
| 1831 | { | ||
| 1832 | /* Test commutativity of add. */ | ||
| 1833 | 8192 | secp256k1_scalar r1, r2; | |
| 1834 | 8192 | secp256k1_scalar_add(&r1, &s1, &s2); | |
| 1835 | 8192 | secp256k1_scalar_add(&r2, &s2, &s1); | |
| 1836 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1837 | } | ||
| 1838 | |||
| 1839 | { | ||
| 1840 | 8192 | secp256k1_scalar r1, r2; | |
| 1841 | 8192 | secp256k1_scalar b; | |
| 1842 | 8192 | int i; | |
| 1843 | /* Test add_bit. */ | ||
| 1844 | 8192 | int bit = secp256k1_testrand_bits(8); | |
| 1845 | 8192 | secp256k1_scalar_set_int(&b, 1); | |
| 1846 | 8192 | CHECK(secp256k1_scalar_is_one(&b)); | |
| 1847 |
2/2✓ Branch 0 taken 1043532 times.
✓ Branch 1 taken 8192 times.
|
1051724 | for (i = 0; i < bit; i++) { |
| 1848 | 1043532 | secp256k1_scalar_add(&b, &b, &b); | |
| 1849 | } | ||
| 1850 | 8192 | r1 = s1; | |
| 1851 | 8192 | r2 = s1; | |
| 1852 |
2/2✓ Branch 1 taken 7701 times.
✓ Branch 2 taken 491 times.
|
8192 | if (!secp256k1_scalar_add(&r1, &r1, &b)) { |
| 1853 | /* No overflow happened. */ | ||
| 1854 | 7701 | secp256k1_scalar_cadd_bit(&r2, bit, 1); | |
| 1855 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 7701 times.
|
7701 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1856 | /* cadd is a noop when flag is zero */ | ||
| 1857 | 7701 | secp256k1_scalar_cadd_bit(&r2, bit, 0); | |
| 1858 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 7701 times.
|
7701 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1859 | } | ||
| 1860 | } | ||
| 1861 | |||
| 1862 | { | ||
| 1863 | /* Test commutativity of mul. */ | ||
| 1864 | 8192 | secp256k1_scalar r1, r2; | |
| 1865 | 8192 | secp256k1_scalar_mul(&r1, &s1, &s2); | |
| 1866 | 8192 | secp256k1_scalar_mul(&r2, &s2, &s1); | |
| 1867 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1868 | } | ||
| 1869 | |||
| 1870 | { | ||
| 1871 | /* Test associativity of add. */ | ||
| 1872 | 8192 | secp256k1_scalar r1, r2; | |
| 1873 | 8192 | secp256k1_scalar_add(&r1, &s1, &s2); | |
| 1874 | 8192 | secp256k1_scalar_add(&r1, &r1, &s); | |
| 1875 | 8192 | secp256k1_scalar_add(&r2, &s2, &s); | |
| 1876 | 8192 | secp256k1_scalar_add(&r2, &s1, &r2); | |
| 1877 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1878 | } | ||
| 1879 | |||
| 1880 | { | ||
| 1881 | /* Test associativity of mul. */ | ||
| 1882 | 8192 | secp256k1_scalar r1, r2; | |
| 1883 | 8192 | secp256k1_scalar_mul(&r1, &s1, &s2); | |
| 1884 | 8192 | secp256k1_scalar_mul(&r1, &r1, &s); | |
| 1885 | 8192 | secp256k1_scalar_mul(&r2, &s2, &s); | |
| 1886 | 8192 | secp256k1_scalar_mul(&r2, &s1, &r2); | |
| 1887 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1888 | } | ||
| 1889 | |||
| 1890 | { | ||
| 1891 | /* Test distributitivity of mul over add. */ | ||
| 1892 | 8192 | secp256k1_scalar r1, r2, t; | |
| 1893 | 8192 | secp256k1_scalar_add(&r1, &s1, &s2); | |
| 1894 | 8192 | secp256k1_scalar_mul(&r1, &r1, &s); | |
| 1895 | 8192 | secp256k1_scalar_mul(&r2, &s1, &s); | |
| 1896 | 8192 | secp256k1_scalar_mul(&t, &s2, &s); | |
| 1897 | 8192 | secp256k1_scalar_add(&r2, &r2, &t); | |
| 1898 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1899 | } | ||
| 1900 | |||
| 1901 | { | ||
| 1902 | /* Test square. */ | ||
| 1903 | 8192 | secp256k1_scalar r1, r2; | |
| 1904 | 8192 | secp256k1_scalar_sqr(&r1, &s1); | |
| 1905 | 8192 | secp256k1_scalar_mul(&r2, &s1, &s1); | |
| 1906 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &r2)); |
| 1907 | } | ||
| 1908 | |||
| 1909 | { | ||
| 1910 | /* Test multiplicative identity. */ | ||
| 1911 | 8192 | secp256k1_scalar r1, v1; | |
| 1912 | 8192 | secp256k1_scalar_set_int(&v1,1); | |
| 1913 | 8192 | secp256k1_scalar_mul(&r1, &s1, &v1); | |
| 1914 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &s1)); |
| 1915 | } | ||
| 1916 | |||
| 1917 | { | ||
| 1918 | /* Test additive identity. */ | ||
| 1919 | 8192 | secp256k1_scalar r1, v0; | |
| 1920 | 8192 | secp256k1_scalar_set_int(&v0,0); | |
| 1921 | 8192 | secp256k1_scalar_add(&r1, &s1, &v0); | |
| 1922 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &s1)); |
| 1923 | } | ||
| 1924 | |||
| 1925 | { | ||
| 1926 | /* Test zero product property. */ | ||
| 1927 | 8192 | secp256k1_scalar r1, v0; | |
| 1928 | 8192 | secp256k1_scalar_set_int(&v0,0); | |
| 1929 | 8192 | secp256k1_scalar_mul(&r1, &s1, &v0); | |
| 1930 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
|
8192 | CHECK(secp256k1_scalar_eq(&r1, &v0)); |
| 1931 | } | ||
| 1932 | |||
| 1933 | 8192 | } | |
| 1934 | |||
| 1935 | 64 | void run_scalar_set_b32_seckey_tests(void) { | |
| 1936 | 64 | unsigned char b32[32]; | |
| 1937 | 64 | secp256k1_scalar s1; | |
| 1938 | 64 | secp256k1_scalar s2; | |
| 1939 | |||
| 1940 | /* Usually set_b32 and set_b32_seckey give the same result */ | ||
| 1941 | 64 | random_scalar_order_b32(b32); | |
| 1942 | 64 | secp256k1_scalar_set_b32(&s1, b32, NULL); | |
| 1943 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 64 times.
|
64 | CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1); |
| 1944 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
|
64 | CHECK(secp256k1_scalar_eq(&s1, &s2) == 1); |
| 1945 | |||
| 1946 | 64 | memset(b32, 0, sizeof(b32)); | |
| 1947 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 64 times.
|
64 | CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0); |
| 1948 | 64 | memset(b32, 0xFF, sizeof(b32)); | |
| 1949 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 64 times.
|
64 | CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0); |
| 1950 | 64 | } | |
| 1951 | |||
| 1952 | 1 | void scalar_chacha_tests(void) { | |
| 1953 | /* Test vectors 1 to 4 from https://tools.ietf.org/html/rfc8439#appendix-A | ||
| 1954 | * Note that scalar_set_b32 and scalar_get_b32 represent integers | ||
| 1955 | * underlying the scalar in big-endian format. */ | ||
| 1956 | 1 | unsigned char expected1[64] = { | |
| 1957 | 0xad, 0xe0, 0xb8, 0x76, 0x90, 0x3d, 0xf1, 0xa0, | ||
| 1958 | 0xe5, 0x6a, 0x5d, 0x40, 0x28, 0xbd, 0x86, 0x53, | ||
| 1959 | 0xb8, 0x19, 0xd2, 0xbd, 0x1a, 0xed, 0x8d, 0xa0, | ||
| 1960 | 0xcc, 0xef, 0x36, 0xa8, 0xc7, 0x0d, 0x77, 0x8b, | ||
| 1961 | 0x7c, 0x59, 0x41, 0xda, 0x8d, 0x48, 0x57, 0x51, | ||
| 1962 | 0x3f, 0xe0, 0x24, 0x77, 0x37, 0x4a, 0xd8, 0xb8, | ||
| 1963 | 0xf4, 0xb8, 0x43, 0x6a, 0x1c, 0xa1, 0x18, 0x15, | ||
| 1964 | 0x69, 0xb6, 0x87, 0xc3, 0x86, 0x65, 0xee, 0xb2 | ||
| 1965 | }; | ||
| 1966 | 1 | unsigned char expected2[64] = { | |
| 1967 | 0xbe, 0xe7, 0x07, 0x9f, 0x7a, 0x38, 0x51, 0x55, | ||
| 1968 | 0x7c, 0x97, 0xba, 0x98, 0x0d, 0x08, 0x2d, 0x73, | ||
| 1969 | 0xa0, 0x29, 0x0f, 0xcb, 0x69, 0x65, 0xe3, 0x48, | ||
| 1970 | 0x3e, 0x53, 0xc6, 0x12, 0xed, 0x7a, 0xee, 0x32, | ||
| 1971 | 0x76, 0x21, 0xb7, 0x29, 0x43, 0x4e, 0xe6, 0x9c, | ||
| 1972 | 0xb0, 0x33, 0x71, 0xd5, 0xd5, 0x39, 0xd8, 0x74, | ||
| 1973 | 0x28, 0x1f, 0xed, 0x31, 0x45, 0xfb, 0x0a, 0x51, | ||
| 1974 | 0x1f, 0x0a, 0xe1, 0xac, 0x6f, 0x4d, 0x79, 0x4b | ||
| 1975 | }; | ||
| 1976 | 1 | unsigned char seed3[32] = { | |
| 1977 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 1978 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 1979 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 1980 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 | ||
| 1981 | }; | ||
| 1982 | 1 | unsigned char expected3[64] = { | |
| 1983 | 0x24, 0x52, 0xeb, 0x3a, 0x92, 0x49, 0xf8, 0xec, | ||
| 1984 | 0x8d, 0x82, 0x9d, 0x9b, 0xdd, 0xd4, 0xce, 0xb1, | ||
| 1985 | 0xe8, 0x25, 0x20, 0x83, 0x60, 0x81, 0x8b, 0x01, | ||
| 1986 | 0xf3, 0x84, 0x22, 0xb8, 0x5a, 0xaa, 0x49, 0xc9, | ||
| 1987 | 0xbb, 0x00, 0xca, 0x8e, 0xda, 0x3b, 0xa7, 0xb4, | ||
| 1988 | 0xc4, 0xb5, 0x92, 0xd1, 0xfd, 0xf2, 0x73, 0x2f, | ||
| 1989 | 0x44, 0x36, 0x27, 0x4e, 0x25, 0x61, 0xb3, 0xc8, | ||
| 1990 | 0xeb, 0xdd, 0x4a, 0xa6, 0xa0, 0x13, 0x6c, 0x00 | ||
| 1991 | }; | ||
| 1992 | 1 | unsigned char seed4[32] = { | |
| 1993 | 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 1994 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 1995 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 1996 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 | ||
| 1997 | }; | ||
| 1998 | 1 | unsigned char expected4[64] = { | |
| 1999 | 0xfb, 0x4d, 0xd5, 0x72, 0x4b, 0xc4, 0x2e, 0xf1, | ||
| 2000 | 0xdf, 0x92, 0x26, 0x36, 0x32, 0x7f, 0x13, 0x94, | ||
| 2001 | 0xa7, 0x8d, 0xea, 0x8f, 0x5e, 0x26, 0x90, 0x39, | ||
| 2002 | 0xa1, 0xbe, 0xbb, 0xc1, 0xca, 0xf0, 0x9a, 0xae, | ||
| 2003 | 0xa2, 0x5a, 0xb2, 0x13, 0x48, 0xa6, 0xb4, 0x6c, | ||
| 2004 | 0x1b, 0x9d, 0x9b, 0xcb, 0x09, 0x2c, 0x5b, 0xe6, | ||
| 2005 | 0x54, 0x6c, 0xa6, 0x24, 0x1b, 0xec, 0x45, 0xd5, | ||
| 2006 | 0x87, 0xf4, 0x74, 0x73, 0x96, 0xf0, 0x99, 0x2e | ||
| 2007 | }; | ||
| 2008 | 1 | unsigned char seed5[32] = { | |
| 2009 | 0x32, 0x56, 0x56, 0xf4, 0x29, 0x02, 0xc2, 0xf8, | ||
| 2010 | 0xa3, 0x4b, 0x96, 0xf5, 0xa7, 0xf7, 0xe3, 0x6c, | ||
| 2011 | 0x92, 0xad, 0xa5, 0x18, 0x1c, 0xe3, 0x41, 0xae, | ||
| 2012 | 0xc3, 0xf3, 0x18, 0xd0, 0xfa, 0x5b, 0x72, 0x53 | ||
| 2013 | }; | ||
| 2014 | 1 | unsigned char expected5[64] = { | |
| 2015 | 0xe7, 0x56, 0xd3, 0x28, 0xe9, 0xc6, 0x19, 0x5c, | ||
| 2016 | 0x6f, 0x17, 0x8e, 0x21, 0x8c, 0x1e, 0x72, 0x11, | ||
| 2017 | 0xe7, 0xbd, 0x17, 0x0d, 0xac, 0x14, 0xad, 0xe9, | ||
| 2018 | 0x3d, 0x9f, 0xb6, 0x92, 0xd6, 0x09, 0x20, 0xfb, | ||
| 2019 | 0x43, 0x8e, 0x3b, 0x6d, 0xe3, 0x33, 0xdc, 0xc7, | ||
| 2020 | 0x6c, 0x07, 0x6f, 0xbb, 0x1f, 0xb4, 0xc8, 0xb5, | ||
| 2021 | 0xe3, 0x6c, 0xe5, 0x12, 0xd9, 0xd7, 0x64, 0x0c, | ||
| 2022 | 0xf5, 0xa7, 0x0d, 0xab, 0x79, 0x03, 0xf1, 0x81 | ||
| 2023 | }; | ||
| 2024 | |||
| 2025 | 1 | secp256k1_scalar exp_r1, exp_r2; | |
| 2026 | 1 | secp256k1_scalar r1, r2; | |
| 2027 | 1 | unsigned char seed0[32] = { 0 }; | |
| 2028 | |||
| 2029 | 1 | secp256k1_scalar_chacha20(&r1, &r2, seed0, 0); | |
| 2030 | 1 | secp256k1_scalar_set_b32(&exp_r1, &expected1[0], NULL); | |
| 2031 | 1 | secp256k1_scalar_set_b32(&exp_r2, &expected1[32], NULL); | |
| 2032 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); |
| 2033 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); |
| 2034 | |||
| 2035 | 1 | secp256k1_scalar_chacha20(&r1, &r2, seed0, 1); | |
| 2036 | 1 | secp256k1_scalar_set_b32(&exp_r1, &expected2[0], NULL); | |
| 2037 | 1 | secp256k1_scalar_set_b32(&exp_r2, &expected2[32], NULL); | |
| 2038 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); |
| 2039 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); |
| 2040 | |||
| 2041 | 1 | secp256k1_scalar_chacha20(&r1, &r2, seed3, 1); | |
| 2042 | 1 | secp256k1_scalar_set_b32(&exp_r1, &expected3[0], NULL); | |
| 2043 | 1 | secp256k1_scalar_set_b32(&exp_r2, &expected3[32], NULL); | |
| 2044 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); |
| 2045 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); |
| 2046 | |||
| 2047 | 1 | secp256k1_scalar_chacha20(&r1, &r2, seed4, 2); | |
| 2048 | 1 | secp256k1_scalar_set_b32(&exp_r1, &expected4[0], NULL); | |
| 2049 | 1 | secp256k1_scalar_set_b32(&exp_r2, &expected4[32], NULL); | |
| 2050 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); |
| 2051 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); |
| 2052 | |||
| 2053 | 1 | secp256k1_scalar_chacha20(&r1, &r2, seed5, 0x6ff8602a7a78e2f2ULL); | |
| 2054 | 1 | secp256k1_scalar_set_b32(&exp_r1, &expected5[0], NULL); | |
| 2055 | 1 | secp256k1_scalar_set_b32(&exp_r2, &expected5[32], NULL); | |
| 2056 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r1, &r1)); |
| 2057 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&exp_r2, &r2)); |
| 2058 | 1 | } | |
| 2059 | |||
| 2060 | 1 | void run_scalar_tests(void) { | |
| 2061 | 1 | int i; | |
| 2062 |
2/2✓ Branch 0 taken 8192 times.
✓ Branch 1 taken 1 times.
|
8193 | for (i = 0; i < 128 * count; i++) { |
| 2063 | 8192 | scalar_test(); | |
| 2064 | } | ||
| 2065 |
2/2✓ Branch 0 taken 64 times.
✓ Branch 1 taken 1 times.
|
65 | for (i = 0; i < count; i++) { |
| 2066 | 64 | run_scalar_set_b32_seckey_tests(); | |
| 2067 | } | ||
| 2068 | |||
| 2069 | 1 | scalar_chacha_tests(); | |
| 2070 | |||
| 2071 | { | ||
| 2072 | /* (-1)+1 should be zero. */ | ||
| 2073 | 1 | secp256k1_scalar s, o; | |
| 2074 | 1 | secp256k1_scalar_set_int(&s, 1); | |
| 2075 | 1 | CHECK(secp256k1_scalar_is_one(&s)); | |
| 2076 | 1 | secp256k1_scalar_negate(&o, &s); | |
| 2077 | 1 | secp256k1_scalar_add(&o, &o, &s); | |
| 2078 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_is_zero(&o)); |
| 2079 | 1 | secp256k1_scalar_negate(&o, &o); | |
| 2080 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_is_zero(&o)); |
| 2081 | } | ||
| 2082 | |||
| 2083 | { | ||
| 2084 | /* Does check_overflow check catch all ones? */ | ||
| 2085 | 1 | static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST( | |
| 2086 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, | ||
| 2087 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL | ||
| 2088 | ); | ||
| 2089 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_check_overflow(&overflowed)); |
| 2090 | } | ||
| 2091 | |||
| 2092 | { | ||
| 2093 | /* Static test vectors. | ||
| 2094 | * These were reduced from ~10^12 random vectors based on comparison-decision | ||
| 2095 | * and edge-case coverage on 32-bit and 64-bit implementations. | ||
| 2096 | * The responses were generated with Sage 5.9. | ||
| 2097 | */ | ||
| 2098 | 1 | secp256k1_scalar x; | |
| 2099 | 1 | secp256k1_scalar y; | |
| 2100 | 1 | secp256k1_scalar z; | |
| 2101 | 1 | secp256k1_scalar zz; | |
| 2102 | 1 | secp256k1_scalar one; | |
| 2103 | 1 | secp256k1_scalar r1; | |
| 2104 | 1 | secp256k1_scalar r2; | |
| 2105 | 1 | secp256k1_scalar zzv; | |
| 2106 | 1 | int overflow; | |
| 2107 | 1 | unsigned char chal[33][2][32] = { | |
| 2108 | {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00, | ||
| 2109 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, | ||
| 2110 | 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, | ||
| 2111 | 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff}, | ||
| 2112 | {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00, | ||
| 2113 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, | ||
| 2114 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2115 | 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}}, | ||
| 2116 | {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2117 | 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, | ||
| 2118 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2119 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
| 2120 | {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2121 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, | ||
| 2122 | 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, | ||
| 2123 | 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}}, | ||
| 2124 | {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2125 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, | ||
| 2126 | 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00, | ||
| 2127 | 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00}, | ||
| 2128 | {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80, | ||
| 2129 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0, | ||
| 2130 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, | ||
| 2131 | 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}}, | ||
| 2132 | {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2133 | 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, | ||
| 2134 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2135 | 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff}, | ||
| 2136 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, | ||
| 2137 | 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0, | ||
| 2138 | 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, | ||
| 2139 | 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}}, | ||
| 2140 | {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00, | ||
| 2141 | 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, | ||
| 2142 | 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00, | ||
| 2143 | 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff}, | ||
| 2144 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, | ||
| 2145 | 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2146 | 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f, | ||
| 2147 | 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}}, | ||
| 2148 | {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f, | ||
| 2149 | 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, | ||
| 2150 | 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00, | ||
| 2151 | 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, | ||
| 2152 | {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, | ||
| 2153 | 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff, | ||
| 2154 | 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, | ||
| 2155 | 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}}, | ||
| 2156 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, | ||
| 2157 | 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, | ||
| 2158 | 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00, | ||
| 2159 | 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0}, | ||
| 2160 | {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, | ||
| 2161 | 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, | ||
| 2162 | 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2163 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, | ||
| 2164 | {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00, | ||
| 2165 | 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2166 | 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, | ||
| 2167 | 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff}, | ||
| 2168 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, | ||
| 2169 | 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0, | ||
| 2170 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2171 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, | ||
| 2172 | {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2173 | 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2174 | 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, | ||
| 2175 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, | ||
| 2176 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2177 | 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2178 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2179 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, | ||
| 2180 | {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, | ||
| 2181 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2182 | 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80, | ||
| 2183 | 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f}, | ||
| 2184 | {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, | ||
| 2185 | 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff, | ||
| 2186 | 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2187 | 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}}, | ||
| 2188 | {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff, | ||
| 2189 | 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, | ||
| 2190 | 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, | ||
| 2191 | 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff}, | ||
| 2192 | {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, | ||
| 2193 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2194 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, | ||
| 2195 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}}, | ||
| 2196 | {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2197 | 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2198 | 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2199 | 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, | ||
| 2200 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2201 | 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff, | ||
| 2202 | 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2203 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, | ||
| 2204 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2205 | 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2206 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2207 | 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00}, | ||
| 2208 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, | ||
| 2209 | 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f, | ||
| 2210 | 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff, | ||
| 2211 | 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}}, | ||
| 2212 | {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2213 | 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, | ||
| 2214 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2215 | 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00}, | ||
| 2216 | {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, | ||
| 2217 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2218 | 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00, | ||
| 2219 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}}, | ||
| 2220 | {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00, | ||
| 2221 | 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03, | ||
| 2222 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2223 | 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, | ||
| 2224 | {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff, | ||
| 2225 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2226 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2227 | 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}}, | ||
| 2228 | {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, | ||
| 2229 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2230 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2231 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, | ||
| 2232 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2233 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff, | ||
| 2234 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, | ||
| 2235 | 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}}, | ||
| 2236 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2237 | 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2238 | 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00, | ||
| 2239 | 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80}, | ||
| 2240 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2241 | 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, | ||
| 2242 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e, | ||
| 2243 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, | ||
| 2244 | {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2245 | 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, | ||
| 2246 | 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2247 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00}, | ||
| 2248 | {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, | ||
| 2249 | 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00, | ||
| 2250 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2251 | 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}}, | ||
| 2252 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, | ||
| 2253 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2254 | 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, | ||
| 2255 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, | ||
| 2256 | {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2257 | 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80, | ||
| 2258 | 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, | ||
| 2259 | 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}}, | ||
| 2260 | {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff, | ||
| 2261 | 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00, | ||
| 2262 | 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2263 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07}, | ||
| 2264 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2265 | 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, | ||
| 2266 | 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff, | ||
| 2267 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}}, | ||
| 2268 | {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2269 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2270 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2271 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
| 2272 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2273 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, | ||
| 2274 | 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, | ||
| 2275 | 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}}, | ||
| 2276 | {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2277 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2278 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2279 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, | ||
| 2280 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2281 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2282 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2283 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, | ||
| 2284 | {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2285 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2286 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2287 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, | ||
| 2288 | {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2289 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2290 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2291 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, | ||
| 2292 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0, | ||
| 2293 | 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2294 | 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2295 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f}, | ||
| 2296 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, | ||
| 2297 | 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00, | ||
| 2298 | 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, | ||
| 2299 | 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}}, | ||
| 2300 | {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2301 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2302 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2303 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, | ||
| 2304 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2305 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2306 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2307 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}}, | ||
| 2308 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2309 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, | ||
| 2310 | 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, | ||
| 2311 | 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, | ||
| 2312 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2313 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2314 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2315 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, | ||
| 2316 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2317 | 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00, | ||
| 2318 | 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, | ||
| 2319 | 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, | ||
| 2320 | {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, | ||
| 2321 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, | ||
| 2322 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, | ||
| 2323 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, | ||
| 2324 | {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2325 | 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2326 | 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, | ||
| 2327 | 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff}, | ||
| 2328 | {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, | ||
| 2329 | 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff, | ||
| 2330 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2331 | 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}}, | ||
| 2332 | {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2333 | 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, | ||
| 2334 | 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2335 | 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00}, | ||
| 2336 | {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, | ||
| 2337 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, | ||
| 2338 | 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f, | ||
| 2339 | 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}}, | ||
| 2340 | {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2341 | 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01, | ||
| 2342 | 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff, | ||
| 2343 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, | ||
| 2344 | {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, | ||
| 2345 | 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80, | ||
| 2346 | 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, | ||
| 2347 | 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}}, | ||
| 2348 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2349 | 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2350 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8, | ||
| 2351 | 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, | ||
| 2352 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2353 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00, | ||
| 2354 | 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f, | ||
| 2355 | 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}}, | ||
| 2356 | {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00, | ||
| 2357 | 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83, | ||
| 2358 | 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, | ||
| 2359 | 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0}, | ||
| 2360 | {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, | ||
| 2361 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00, | ||
| 2362 | 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, | ||
| 2363 | 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}}, | ||
| 2364 | {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, | ||
| 2365 | 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, | ||
| 2366 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, | ||
| 2367 | 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}, | ||
| 2368 | {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, | ||
| 2369 | 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, | ||
| 2370 | 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, | ||
| 2371 | 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}} | ||
| 2372 | }; | ||
| 2373 | 1 | unsigned char res[33][2][32] = { | |
| 2374 | {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9, | ||
| 2375 | 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1, | ||
| 2376 | 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6, | ||
| 2377 | 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35}, | ||
| 2378 | {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d, | ||
| 2379 | 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c, | ||
| 2380 | 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49, | ||
| 2381 | 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}}, | ||
| 2382 | {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22, | ||
| 2383 | 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c, | ||
| 2384 | 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f, | ||
| 2385 | 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8}, | ||
| 2386 | {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77, | ||
| 2387 | 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4, | ||
| 2388 | 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59, | ||
| 2389 | 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}}, | ||
| 2390 | {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef, | ||
| 2391 | 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab, | ||
| 2392 | 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55, | ||
| 2393 | 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c}, | ||
| 2394 | {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96, | ||
| 2395 | 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f, | ||
| 2396 | 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12, | ||
| 2397 | 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}}, | ||
| 2398 | {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c, | ||
| 2399 | 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf, | ||
| 2400 | 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9, | ||
| 2401 | 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48}, | ||
| 2402 | {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42, | ||
| 2403 | 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5, | ||
| 2404 | 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c, | ||
| 2405 | 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}}, | ||
| 2406 | {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb, | ||
| 2407 | 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74, | ||
| 2408 | 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6, | ||
| 2409 | 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63}, | ||
| 2410 | {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3, | ||
| 2411 | 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99, | ||
| 2412 | 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58, | ||
| 2413 | 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}}, | ||
| 2414 | {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b, | ||
| 2415 | 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7, | ||
| 2416 | 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f, | ||
| 2417 | 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0}, | ||
| 2418 | {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d, | ||
| 2419 | 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d, | ||
| 2420 | 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9, | ||
| 2421 | 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}}, | ||
| 2422 | {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7, | ||
| 2423 | 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70, | ||
| 2424 | 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06, | ||
| 2425 | 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e}, | ||
| 2426 | {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9, | ||
| 2427 | 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79, | ||
| 2428 | 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e, | ||
| 2429 | 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}}, | ||
| 2430 | {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb, | ||
| 2431 | 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5, | ||
| 2432 | 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a, | ||
| 2433 | 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe}, | ||
| 2434 | {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48, | ||
| 2435 | 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e, | ||
| 2436 | 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc, | ||
| 2437 | 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}}, | ||
| 2438 | {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b, | ||
| 2439 | 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0, | ||
| 2440 | 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53, | ||
| 2441 | 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8}, | ||
| 2442 | {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c, | ||
| 2443 | 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01, | ||
| 2444 | 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f, | ||
| 2445 | 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}}, | ||
| 2446 | {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7, | ||
| 2447 | 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c, | ||
| 2448 | 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92, | ||
| 2449 | 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30}, | ||
| 2450 | {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62, | ||
| 2451 | 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e, | ||
| 2452 | 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb, | ||
| 2453 | 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}}, | ||
| 2454 | {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25, | ||
| 2455 | 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d, | ||
| 2456 | 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0, | ||
| 2457 | 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13}, | ||
| 2458 | {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60, | ||
| 2459 | 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00, | ||
| 2460 | 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4, | ||
| 2461 | 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}}, | ||
| 2462 | {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31, | ||
| 2463 | 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4, | ||
| 2464 | 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88, | ||
| 2465 | 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa}, | ||
| 2466 | {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57, | ||
| 2467 | 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38, | ||
| 2468 | 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51, | ||
| 2469 | 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}}, | ||
| 2470 | {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c, | ||
| 2471 | 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f, | ||
| 2472 | 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2, | ||
| 2473 | 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4}, | ||
| 2474 | {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01, | ||
| 2475 | 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4, | ||
| 2476 | 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86, | ||
| 2477 | 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}}, | ||
| 2478 | {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5, | ||
| 2479 | 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51, | ||
| 2480 | 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3, | ||
| 2481 | 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62}, | ||
| 2482 | {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c, | ||
| 2483 | 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91, | ||
| 2484 | 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c, | ||
| 2485 | 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}}, | ||
| 2486 | {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e, | ||
| 2487 | 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56, | ||
| 2488 | 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58, | ||
| 2489 | 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4}, | ||
| 2490 | {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41, | ||
| 2491 | 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7, | ||
| 2492 | 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92, | ||
| 2493 | 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}}, | ||
| 2494 | {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec, | ||
| 2495 | 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19, | ||
| 2496 | 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3, | ||
| 2497 | 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4}, | ||
| 2498 | {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87, | ||
| 2499 | 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a, | ||
| 2500 | 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92, | ||
| 2501 | 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}}, | ||
| 2502 | {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64, | ||
| 2503 | 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3, | ||
| 2504 | 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f, | ||
| 2505 | 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33}, | ||
| 2506 | {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c, | ||
| 2507 | 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d, | ||
| 2508 | 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea, | ||
| 2509 | 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}}, | ||
| 2510 | {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7, | ||
| 2511 | 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a, | ||
| 2512 | 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae, | ||
| 2513 | 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe}, | ||
| 2514 | {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc, | ||
| 2515 | 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39, | ||
| 2516 | 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14, | ||
| 2517 | 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}}, | ||
| 2518 | {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23, | ||
| 2519 | 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d, | ||
| 2520 | 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2, | ||
| 2521 | 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16}, | ||
| 2522 | {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c, | ||
| 2523 | 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84, | ||
| 2524 | 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0, | ||
| 2525 | 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}}, | ||
| 2526 | {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb, | ||
| 2527 | 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94, | ||
| 2528 | 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b, | ||
| 2529 | 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e}, | ||
| 2530 | {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54, | ||
| 2531 | 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00, | ||
| 2532 | 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb, | ||
| 2533 | 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}}, | ||
| 2534 | {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2535 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2536 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2537 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
| 2538 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2539 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2540 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2541 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, | ||
| 2542 | {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2543 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2544 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2545 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, | ||
| 2546 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2547 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2548 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2549 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, | ||
| 2550 | {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, | ||
| 2551 | 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, | ||
| 2552 | 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, | ||
| 2553 | 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}, | ||
| 2554 | {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, | ||
| 2555 | 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, | ||
| 2556 | 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, | ||
| 2557 | 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, | ||
| 2558 | {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0, | ||
| 2559 | 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b, | ||
| 2560 | 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94, | ||
| 2561 | 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8}, | ||
| 2562 | {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26, | ||
| 2563 | 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d, | ||
| 2564 | 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a, | ||
| 2565 | 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}}, | ||
| 2566 | {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2567 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 2568 | 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, | ||
| 2569 | 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd}, | ||
| 2570 | {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, | ||
| 2571 | 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, | ||
| 2572 | 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, | ||
| 2573 | 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, | ||
| 2574 | {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 2575 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, | ||
| 2576 | 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, | ||
| 2577 | 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, | ||
| 2578 | {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2579 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2580 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 2581 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, | ||
| 2582 | {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39, | ||
| 2583 | 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea, | ||
| 2584 | 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf, | ||
| 2585 | 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae}, | ||
| 2586 | {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b, | ||
| 2587 | 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb, | ||
| 2588 | 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6, | ||
| 2589 | 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}}, | ||
| 2590 | {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a, | ||
| 2591 | 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f, | ||
| 2592 | 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9, | ||
| 2593 | 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56}, | ||
| 2594 | {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93, | ||
| 2595 | 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07, | ||
| 2596 | 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71, | ||
| 2597 | 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}}, | ||
| 2598 | {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87, | ||
| 2599 | 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9, | ||
| 2600 | 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55, | ||
| 2601 | 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73}, | ||
| 2602 | {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d, | ||
| 2603 | 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86, | ||
| 2604 | 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb, | ||
| 2605 | 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}}, | ||
| 2606 | {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2, | ||
| 2607 | 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7, | ||
| 2608 | 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41, | ||
| 2609 | 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7}, | ||
| 2610 | {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06, | ||
| 2611 | 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04, | ||
| 2612 | 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08, | ||
| 2613 | 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}}, | ||
| 2614 | {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2, | ||
| 2615 | 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b, | ||
| 2616 | 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40, | ||
| 2617 | 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68}, | ||
| 2618 | {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e, | ||
| 2619 | 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a, | ||
| 2620 | 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b, | ||
| 2621 | 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}}, | ||
| 2622 | {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67, | ||
| 2623 | 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f, | ||
| 2624 | 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a, | ||
| 2625 | 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51}, | ||
| 2626 | {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2, | ||
| 2627 | 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38, | ||
| 2628 | 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34, | ||
| 2629 | 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}}, | ||
| 2630 | {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, | ||
| 2631 | 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, | ||
| 2632 | 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, | ||
| 2633 | 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}, | ||
| 2634 | {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, | ||
| 2635 | 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, | ||
| 2636 | 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, | ||
| 2637 | 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}} | ||
| 2638 | }; | ||
| 2639 | 1 | secp256k1_scalar_set_int(&one, 1); | |
| 2640 |
2/2✓ Branch 0 taken 33 times.
✓ Branch 1 taken 1 times.
|
34 | for (i = 0; i < 33; i++) { |
| 2641 | 33 | secp256k1_scalar_set_b32(&x, chal[i][0], &overflow); | |
| 2642 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(!overflow); |
| 2643 | 33 | secp256k1_scalar_set_b32(&y, chal[i][1], &overflow); | |
| 2644 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(!overflow); |
| 2645 | 33 | secp256k1_scalar_set_b32(&r1, res[i][0], &overflow); | |
| 2646 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(!overflow); |
| 2647 | 33 | secp256k1_scalar_set_b32(&r2, res[i][1], &overflow); | |
| 2648 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(!overflow); |
| 2649 | 33 | secp256k1_scalar_mul(&z, &x, &y); | |
| 2650 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(!secp256k1_scalar_check_overflow(&z)); |
| 2651 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(secp256k1_scalar_eq(&r1, &z)); |
| 2652 |
2/2✓ Branch 0 taken 32 times.
✓ Branch 1 taken 1 times.
|
33 | if (!secp256k1_scalar_is_zero(&y)) { |
| 2653 | 32 | secp256k1_scalar_inverse(&zz, &y); | |
| 2654 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(!secp256k1_scalar_check_overflow(&zz)); |
| 2655 | 32 | secp256k1_scalar_inverse_var(&zzv, &y); | |
| 2656 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(secp256k1_scalar_eq(&zzv, &zz)); |
| 2657 | 32 | secp256k1_scalar_mul(&z, &z, &zz); | |
| 2658 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(!secp256k1_scalar_check_overflow(&z)); |
| 2659 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(secp256k1_scalar_eq(&x, &z)); |
| 2660 | 32 | secp256k1_scalar_mul(&zz, &zz, &y); | |
| 2661 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(!secp256k1_scalar_check_overflow(&zz)); |
| 2662 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(secp256k1_scalar_eq(&one, &zz)); |
| 2663 | } | ||
| 2664 | 33 | secp256k1_scalar_mul(&z, &x, &x); | |
| 2665 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(!secp256k1_scalar_check_overflow(&z)); |
| 2666 | 33 | secp256k1_scalar_sqr(&zz, &x); | |
| 2667 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(!secp256k1_scalar_check_overflow(&zz)); |
| 2668 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(secp256k1_scalar_eq(&zz, &z)); |
| 2669 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
|
33 | CHECK(secp256k1_scalar_eq(&r2, &zz)); |
| 2670 | } | ||
| 2671 | } | ||
| 2672 | 1 | } | |
| 2673 | |||
| 2674 | /***** FIELD TESTS *****/ | ||
| 2675 | |||
| 2676 | 160650 | void random_fe(secp256k1_fe *x) { | |
| 2677 | 160650 | unsigned char bin[32]; | |
| 2678 | 160650 | do { | |
| 2679 | 160650 | secp256k1_testrand256(bin); | |
| 2680 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 160650 times.
|
160650 | if (secp256k1_fe_set_b32(x, bin)) { |
| 2681 | 160650 | return; | |
| 2682 | } | ||
| 2683 | } while(1); | ||
| 2684 | } | ||
| 2685 | |||
| 2686 | 45326 | void random_fe_test(secp256k1_fe *x) { | |
| 2687 | 45346 | unsigned char bin[32]; | |
| 2688 | 45346 | do { | |
| 2689 | 45346 | secp256k1_testrand256_test(bin); | |
| 2690 |
2/2✓ Branch 1 taken 20 times.
✓ Branch 2 taken 45326 times.
|
45346 | if (secp256k1_fe_set_b32(x, bin)) { |
| 2691 | 45326 | return; | |
| 2692 | } | ||
| 2693 | } while(1); | ||
| 2694 | } | ||
| 2695 | |||
| 2696 | 115210 | void random_fe_non_zero(secp256k1_fe *nz) { | |
| 2697 | 115210 | int tries = 10; | |
| 2698 |
1/2✓ Branch 0 taken 115210 times.
✗ Branch 1 not taken.
|
115210 | while (--tries >= 0) { |
| 2699 | 115210 | random_fe(nz); | |
| 2700 | 115210 | secp256k1_fe_normalize(nz); | |
| 2701 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 115210 times.
|
115210 | if (!secp256k1_fe_is_zero(nz)) { |
| 2702 | break; | ||
| 2703 | } | ||
| 2704 | } | ||
| 2705 | /* Infinitesimal probability of spurious failure here */ | ||
| 2706 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 115210 times.
|
115210 | CHECK(tries >= 0); |
| 2707 | 115210 | } | |
| 2708 | |||
| 2709 | 10 | void random_fe_non_square(secp256k1_fe *ns) { | |
| 2710 | 10 | secp256k1_fe r; | |
| 2711 | 10 | random_fe_non_zero(ns); | |
| 2712 |
2/2✓ Branch 1 taken 7 times.
✓ Branch 2 taken 3 times.
|
10 | if (secp256k1_fe_sqrt(&r, ns)) { |
| 2713 | 7 | secp256k1_fe_negate(ns, ns, 1); | |
| 2714 | } | ||
| 2715 | 10 | } | |
| 2716 | |||
| 2717 | 448062 | int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) { | |
| 2718 | 448062 | secp256k1_fe an = *a; | |
| 2719 | 448062 | secp256k1_fe bn = *b; | |
| 2720 | 448062 | secp256k1_fe_normalize_weak(&an); | |
| 2721 | 448062 | secp256k1_fe_normalize_var(&bn); | |
| 2722 | 448062 | return secp256k1_fe_equal_var(&an, &bn); | |
| 2723 | } | ||
| 2724 | |||
| 2725 | 1 | void run_field_convert(void) { | |
| 2726 | 1 | static const unsigned char b32[32] = { | |
| 2727 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, | ||
| 2728 | 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, | ||
| 2729 | 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, | ||
| 2730 | 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 | ||
| 2731 | }; | ||
| 2732 | 1 | static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST( | |
| 2733 | 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, | ||
| 2734 | 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL | ||
| 2735 | ); | ||
| 2736 | 1 | static const secp256k1_fe fe = SECP256K1_FE_CONST( | |
| 2737 | 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, | ||
| 2738 | 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL | ||
| 2739 | ); | ||
| 2740 | 1 | secp256k1_fe fe2; | |
| 2741 | 1 | unsigned char b322[32]; | |
| 2742 | 1 | secp256k1_fe_storage fes2; | |
| 2743 | /* Check conversions to fe. */ | ||
| 2744 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_fe_set_b32(&fe2, b32)); |
| 2745 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_equal_var(&fe, &fe2)); |
| 2746 | 1 | secp256k1_fe_from_storage(&fe2, &fes); | |
| 2747 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_equal_var(&fe, &fe2)); |
| 2748 | /* Check conversion from fe. */ | ||
| 2749 | 1 | secp256k1_fe_get_b32(b322, &fe); | |
| 2750 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0); |
| 2751 | 1 | secp256k1_fe_to_storage(&fes2, &fe); | |
| 2752 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0); |
| 2753 | 1 | } | |
| 2754 | |||
| 2755 | /* Returns true if two field elements have the same representation. */ | ||
| 2756 | 192000 | int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) { | |
| 2757 | 192000 | int ret = 1; | |
| 2758 | #ifdef VERIFY | ||
| 2759 | ret &= (a->magnitude == b->magnitude); | ||
| 2760 | ret &= (a->normalized == b->normalized); | ||
| 2761 | #endif | ||
| 2762 | /* Compare the struct member that holds the limbs. */ | ||
| 2763 | 192000 | ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0); | |
| 2764 | 192000 | return ret; | |
| 2765 | } | ||
| 2766 | |||
| 2767 | 1 | void run_field_half(void) { | |
| 2768 | 1 | secp256k1_fe t, u; | |
| 2769 | 1 | int m; | |
| 2770 | |||
| 2771 | /* Check magnitude 0 input */ | ||
| 2772 | 1 | secp256k1_fe_get_bounds(&t, 0); | |
| 2773 | 1 | secp256k1_fe_half(&t); | |
| 2774 | #ifdef VERIFY | ||
| 2775 | CHECK(t.magnitude == 1); | ||
| 2776 | CHECK(t.normalized == 0); | ||
| 2777 | #endif | ||
| 2778 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_normalizes_to_zero(&t)); |
| 2779 | |||
| 2780 | /* Check non-zero magnitudes in the supported range */ | ||
| 2781 |
2/2✓ Branch 0 taken 31 times.
✓ Branch 1 taken 1 times.
|
32 | for (m = 1; m < 32; m++) { |
| 2782 | /* Check max-value input */ | ||
| 2783 | 31 | secp256k1_fe_get_bounds(&t, m); | |
| 2784 | |||
| 2785 | 31 | u = t; | |
| 2786 | 31 | secp256k1_fe_half(&u); | |
| 2787 | #ifdef VERIFY | ||
| 2788 | CHECK(u.magnitude == (m >> 1) + 1); | ||
| 2789 | CHECK(u.normalized == 0); | ||
| 2790 | #endif | ||
| 2791 | 31 | secp256k1_fe_normalize_weak(&u); | |
| 2792 | 31 | secp256k1_fe_add(&u, &u); | |
| 2793 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
|
31 | CHECK(check_fe_equal(&t, &u)); |
| 2794 | |||
| 2795 | /* Check worst-case input: ensure the LSB is 1 so that P will be added, | ||
| 2796 | * which will also cause all carries to be 1, since all limbs that can | ||
| 2797 | * generate a carry are initially even and all limbs of P are odd in | ||
| 2798 | * every existing field implementation. */ | ||
| 2799 | 31 | secp256k1_fe_get_bounds(&t, m); | |
| 2800 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
|
31 | CHECK(t.n[0] > 0); |
| 2801 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
|
31 | CHECK((t.n[0] & 1) == 0); |
| 2802 | 31 | --t.n[0]; | |
| 2803 | |||
| 2804 | 31 | u = t; | |
| 2805 | 31 | secp256k1_fe_half(&u); | |
| 2806 | #ifdef VERIFY | ||
| 2807 | CHECK(u.magnitude == (m >> 1) + 1); | ||
| 2808 | CHECK(u.normalized == 0); | ||
| 2809 | #endif | ||
| 2810 | 31 | secp256k1_fe_normalize_weak(&u); | |
| 2811 | 31 | secp256k1_fe_add(&u, &u); | |
| 2812 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
|
31 | CHECK(check_fe_equal(&t, &u)); |
| 2813 | } | ||
| 2814 | 1 | } | |
| 2815 | |||
| 2816 | 1 | void run_field_misc(void) { | |
| 2817 | 1 | secp256k1_fe x; | |
| 2818 | 1 | secp256k1_fe y; | |
| 2819 | 1 | secp256k1_fe z; | |
| 2820 | 1 | secp256k1_fe q; | |
| 2821 | 1 | secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); | |
| 2822 | 1 | int i, j; | |
| 2823 |
2/2✓ Branch 0 taken 64000 times.
✓ Branch 1 taken 1 times.
|
64001 | for (i = 0; i < 1000 * count; i++) { |
| 2824 | 64000 | secp256k1_fe_storage xs, ys, zs; | |
| 2825 |
2/2✓ Branch 0 taken 32000 times.
✓ Branch 1 taken 32000 times.
|
64000 | if (i & 1) { |
| 2826 | 32000 | random_fe(&x); | |
| 2827 | } else { | ||
| 2828 | 32000 | random_fe_test(&x); | |
| 2829 | } | ||
| 2830 | 64000 | random_fe_non_zero(&y); | |
| 2831 | /* Test the fe equality and comparison operations. */ | ||
| 2832 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(secp256k1_fe_cmp_var(&x, &x) == 0); |
| 2833 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(secp256k1_fe_equal_var(&x, &x)); |
| 2834 | 64000 | z = x; | |
| 2835 | 64000 | secp256k1_fe_add(&z,&y); | |
| 2836 | /* Test fe conditional move; z is not normalized here. */ | ||
| 2837 | 64000 | q = x; | |
| 2838 | 64000 | secp256k1_fe_cmov(&x, &z, 0); | |
| 2839 | #ifdef VERIFY | ||
| 2840 | CHECK(x.normalized && x.magnitude == 1); | ||
| 2841 | #endif | ||
| 2842 | 64000 | secp256k1_fe_cmov(&x, &x, 1); | |
| 2843 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(!fe_identical(&x, &z)); |
| 2844 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(fe_identical(&x, &q)); |
| 2845 | 64000 | secp256k1_fe_cmov(&q, &z, 1); | |
| 2846 | #ifdef VERIFY | ||
| 2847 | CHECK(!q.normalized && q.magnitude == z.magnitude); | ||
| 2848 | #endif | ||
| 2849 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(fe_identical(&q, &z)); |
| 2850 | 64000 | secp256k1_fe_normalize_var(&x); | |
| 2851 | 64000 | secp256k1_fe_normalize_var(&z); | |
| 2852 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(!secp256k1_fe_equal_var(&x, &z)); |
| 2853 | 64000 | secp256k1_fe_normalize_var(&q); | |
| 2854 | 64000 | secp256k1_fe_cmov(&q, &z, (i&1)); | |
| 2855 | #ifdef VERIFY | ||
| 2856 | CHECK(q.normalized && q.magnitude == 1); | ||
| 2857 | #endif | ||
| 2858 |
2/2✓ Branch 1 taken 384000 times.
✓ Branch 2 taken 64000 times.
|
512000 | for (j = 0; j < 6; j++) { |
| 2859 | 384000 | secp256k1_fe_negate(&z, &z, j+1); | |
| 2860 | 384000 | secp256k1_fe_normalize_var(&q); | |
| 2861 | 384000 | secp256k1_fe_cmov(&q, &z, (j&1)); | |
| 2862 | #ifdef VERIFY | ||
| 2863 | CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1)); | ||
| 2864 | #endif | ||
| 2865 | } | ||
| 2866 | 64000 | secp256k1_fe_normalize_var(&z); | |
| 2867 | /* Test storage conversion and conditional moves. */ | ||
| 2868 | 64000 | secp256k1_fe_to_storage(&xs, &x); | |
| 2869 | 64000 | secp256k1_fe_to_storage(&ys, &y); | |
| 2870 | 64000 | secp256k1_fe_to_storage(&zs, &z); | |
| 2871 | 64000 | secp256k1_fe_storage_cmov(&zs, &xs, 0); | |
| 2872 | 64000 | secp256k1_fe_storage_cmov(&zs, &zs, 1); | |
| 2873 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 64000 times.
|
128000 | CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0); |
| 2874 | 64000 | secp256k1_fe_storage_cmov(&ys, &xs, 1); | |
| 2875 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 64000 times.
|
128000 | CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0); |
| 2876 | 64000 | secp256k1_fe_from_storage(&x, &xs); | |
| 2877 | 64000 | secp256k1_fe_from_storage(&y, &ys); | |
| 2878 | 64000 | secp256k1_fe_from_storage(&z, &zs); | |
| 2879 | /* Test that mul_int, mul, and add agree. */ | ||
| 2880 | 64000 | secp256k1_fe_add(&y, &x); | |
| 2881 | 64000 | secp256k1_fe_add(&y, &x); | |
| 2882 | 64000 | z = x; | |
| 2883 | 64000 | secp256k1_fe_mul_int(&z, 3); | |
| 2884 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(check_fe_equal(&y, &z)); |
| 2885 | 64000 | secp256k1_fe_add(&y, &x); | |
| 2886 | 64000 | secp256k1_fe_add(&z, &x); | |
| 2887 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(check_fe_equal(&z, &y)); |
| 2888 | 64000 | z = x; | |
| 2889 | 64000 | secp256k1_fe_mul_int(&z, 5); | |
| 2890 | 64000 | secp256k1_fe_mul(&q, &x, &fe5); | |
| 2891 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(check_fe_equal(&z, &q)); |
| 2892 | 64000 | secp256k1_fe_negate(&x, &x, 1); | |
| 2893 | 64000 | secp256k1_fe_add(&z, &x); | |
| 2894 | 64000 | secp256k1_fe_add(&q, &x); | |
| 2895 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(check_fe_equal(&y, &z)); |
| 2896 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(check_fe_equal(&q, &y)); |
| 2897 | /* Check secp256k1_fe_half. */ | ||
| 2898 | 64000 | z = x; | |
| 2899 | 64000 | secp256k1_fe_half(&z); | |
| 2900 | 64000 | secp256k1_fe_add(&z, &z); | |
| 2901 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(check_fe_equal(&x, &z)); |
| 2902 | 64000 | secp256k1_fe_add(&z, &z); | |
| 2903 | 64000 | secp256k1_fe_half(&z); | |
| 2904 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
|
64000 | CHECK(check_fe_equal(&x, &z)); |
| 2905 | } | ||
| 2906 | 1 | } | |
| 2907 | |||
| 2908 | 38400 | void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr) | |
| 2909 | { | ||
| 2910 | 38400 | secp256k1_fe c, an, bn; | |
| 2911 | /* Variables in BE 32-byte format. */ | ||
| 2912 | 38400 | unsigned char a32[32], b32[32], c32[32]; | |
| 2913 | /* Variables in LE 16x uint16_t format. */ | ||
| 2914 | 38400 | uint16_t a16[16], b16[16], c16[16]; | |
| 2915 | /* Field modulus in LE 16x uint16_t format. */ | ||
| 2916 | 38400 | static const uint16_t m16[16] = { | |
| 2917 | 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 2918 | 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, | ||
| 2919 | }; | ||
| 2920 | 38400 | uint16_t t16[32]; | |
| 2921 | 38400 | int i; | |
| 2922 | |||
| 2923 | /* Compute C = A * B in fe format. */ | ||
| 2924 | 38400 | c = *a; | |
| 2925 |
2/2✓ Branch 0 taken 12800 times.
✓ Branch 1 taken 25600 times.
|
38400 | if (use_sqr) { |
| 2926 | 12800 | secp256k1_fe_sqr(&c, &c); | |
| 2927 | } else { | ||
| 2928 | 25600 | secp256k1_fe_mul(&c, &c, b); | |
| 2929 | } | ||
| 2930 | |||
| 2931 | /* Convert A, B, C into LE 16x uint16_t format. */ | ||
| 2932 | 38400 | an = *a; | |
| 2933 | 38400 | bn = *b; | |
| 2934 | 38400 | secp256k1_fe_normalize_var(&c); | |
| 2935 | 38400 | secp256k1_fe_normalize_var(&an); | |
| 2936 | 38400 | secp256k1_fe_normalize_var(&bn); | |
| 2937 | 38400 | secp256k1_fe_get_b32(a32, &an); | |
| 2938 | 38400 | secp256k1_fe_get_b32(b32, &bn); | |
| 2939 | 38400 | secp256k1_fe_get_b32(c32, &c); | |
| 2940 |
2/2✓ Branch 1 taken 614400 times.
✓ Branch 2 taken 38400 times.
|
691200 | for (i = 0; i < 16; ++i) { |
| 2941 | 614400 | a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8); | |
| 2942 | 614400 | b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8); | |
| 2943 | 614400 | c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8); | |
| 2944 | } | ||
| 2945 | /* Compute T = A * B in LE 16x uint16_t format. */ | ||
| 2946 | 38400 | mulmod256(t16, a16, b16, m16); | |
| 2947 | /* Compare */ | ||
| 2948 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 38400 times.
|
76800 | CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0); |
| 2949 | 38400 | } | |
| 2950 | |||
| 2951 | 1 | void run_fe_mul(void) { | |
| 2952 | 1 | int i; | |
| 2953 |
2/2✓ Branch 0 taken 6400 times.
✓ Branch 1 taken 1 times.
|
6401 | for (i = 0; i < 100 * count; ++i) { |
| 2954 | 6400 | secp256k1_fe a, b, c, d; | |
| 2955 | 6400 | random_fe(&a); | |
| 2956 | 6400 | random_field_element_magnitude(&a); | |
| 2957 | 6400 | random_fe(&b); | |
| 2958 | 6400 | random_field_element_magnitude(&b); | |
| 2959 | 6400 | random_fe_test(&c); | |
| 2960 | 6400 | random_field_element_magnitude(&c); | |
| 2961 | 6400 | random_fe_test(&d); | |
| 2962 | 6400 | random_field_element_magnitude(&d); | |
| 2963 | 6400 | test_fe_mul(&a, &a, 1); | |
| 2964 | 6400 | test_fe_mul(&c, &c, 1); | |
| 2965 | 6400 | test_fe_mul(&a, &b, 0); | |
| 2966 | 6400 | test_fe_mul(&a, &c, 0); | |
| 2967 | 6400 | test_fe_mul(&c, &b, 0); | |
| 2968 | 6400 | test_fe_mul(&c, &d, 0); | |
| 2969 | } | ||
| 2970 | 1 | } | |
| 2971 | |||
| 2972 | 1 | void run_sqr(void) { | |
| 2973 | 1 | secp256k1_fe x, s; | |
| 2974 | |||
| 2975 | { | ||
| 2976 | 1 | int i; | |
| 2977 | 1 | secp256k1_fe_set_int(&x, 1); | |
| 2978 | 1 | secp256k1_fe_negate(&x, &x, 1); | |
| 2979 | |||
| 2980 |
2/2✓ Branch 0 taken 512 times.
✓ Branch 1 taken 1 times.
|
513 | for (i = 1; i <= 512; ++i) { |
| 2981 | 512 | secp256k1_fe_mul_int(&x, 2); | |
| 2982 | 512 | secp256k1_fe_normalize(&x); | |
| 2983 | 512 | secp256k1_fe_sqr(&s, &x); | |
| 2984 | } | ||
| 2985 | } | ||
| 2986 | 1 | } | |
| 2987 | |||
| 2988 | 2121 | void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) { | |
| 2989 | 2121 | secp256k1_fe r1, r2; | |
| 2990 | 2121 | int v = secp256k1_fe_sqrt(&r1, a); | |
| 2991 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2121 times.
|
2121 | CHECK((v == 0) == (k == NULL)); |
| 2992 | |||
| 2993 |
2/2✓ Branch 0 taken 741 times.
✓ Branch 1 taken 1380 times.
|
2121 | if (k != NULL) { |
| 2994 | /* Check that the returned root is +/- the given known answer */ | ||
| 2995 | 741 | secp256k1_fe_negate(&r2, &r1, 1); | |
| 2996 | 741 | secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k); | |
| 2997 | 741 | secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2); | |
| 2998 |
3/4✓ Branch 0 taken 388 times.
✓ Branch 1 taken 353 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 388 times.
|
741 | CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2)); |
| 2999 | } | ||
| 3000 | 2121 | } | |
| 3001 | |||
| 3002 | 1 | void run_sqrt(void) { | |
| 3003 | 1 | secp256k1_fe ns, x, s, t; | |
| 3004 | 1 | int i; | |
| 3005 | |||
| 3006 | /* Check sqrt(0) is 0 */ | ||
| 3007 | 1 | secp256k1_fe_set_int(&x, 0); | |
| 3008 | 1 | secp256k1_fe_sqr(&s, &x); | |
| 3009 | 1 | test_sqrt(&s, &x); | |
| 3010 | |||
| 3011 | /* Check sqrt of small squares (and their negatives) */ | ||
| 3012 |
2/2✓ Branch 1 taken 100 times.
✓ Branch 2 taken 1 times.
|
102 | for (i = 1; i <= 100; i++) { |
| 3013 | 100 | secp256k1_fe_set_int(&x, i); | |
| 3014 | 100 | secp256k1_fe_sqr(&s, &x); | |
| 3015 | 100 | test_sqrt(&s, &x); | |
| 3016 | 100 | secp256k1_fe_negate(&t, &s, 1); | |
| 3017 | 100 | test_sqrt(&t, NULL); | |
| 3018 | } | ||
| 3019 | |||
| 3020 | /* Consistency checks for large random values */ | ||
| 3021 |
2/2✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1 times.
|
11 | for (i = 0; i < 10; i++) { |
| 3022 | 10 | int j; | |
| 3023 | 10 | random_fe_non_square(&ns); | |
| 3024 |
2/2✓ Branch 1 taken 640 times.
✓ Branch 2 taken 10 times.
|
660 | for (j = 0; j < count; j++) { |
| 3025 | 640 | random_fe(&x); | |
| 3026 | 640 | secp256k1_fe_sqr(&s, &x); | |
| 3027 | 640 | test_sqrt(&s, &x); | |
| 3028 | 640 | secp256k1_fe_negate(&t, &s, 1); | |
| 3029 | 640 | test_sqrt(&t, NULL); | |
| 3030 | 640 | secp256k1_fe_mul(&t, &s, &ns); | |
| 3031 | 640 | test_sqrt(&t, NULL); | |
| 3032 | } | ||
| 3033 | } | ||
| 3034 | 1 | } | |
| 3035 | |||
| 3036 | /***** FIELD/SCALAR INVERSE TESTS *****/ | ||
| 3037 | |||
| 3038 | static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST( | ||
| 3039 | 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, | ||
| 3040 | 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140 | ||
| 3041 | ); | ||
| 3042 | |||
| 3043 | static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST( | ||
| 3044 | 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | ||
| 3045 | 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E | ||
| 3046 | ); | ||
| 3047 | |||
| 3048 | /* These tests test the following identities: | ||
| 3049 | * | ||
| 3050 | * for x==0: 1/x == 0 | ||
| 3051 | * for x!=0: x*(1/x) == 1 | ||
| 3052 | * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1) | ||
| 3053 | */ | ||
| 3054 | |||
| 3055 | 20532 | void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var) | |
| 3056 | { | ||
| 3057 | 20532 | secp256k1_scalar l, r, t; | |
| 3058 | |||
| 3059 |
2/2✓ Branch 0 taken 10266 times.
✓ Branch 1 taken 10266 times.
|
30798 | (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */ |
| 3060 |
2/2✓ Branch 0 taken 148 times.
✓ Branch 1 taken 20384 times.
|
20532 | if (out) *out = l; |
| 3061 |
2/2✓ Branch 0 taken 10 times.
✓ Branch 1 taken 20522 times.
|
20532 | if (secp256k1_scalar_is_zero(x)) { |
| 3062 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(secp256k1_scalar_is_zero(&l)); |
| 3063 | 16 | return; | |
| 3064 | } | ||
| 3065 | 20522 | secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */ | |
| 3066 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 20522 times.
|
20522 | CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */ |
| 3067 | 20522 | secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */ | |
| 3068 |
2/2✓ Branch 0 taken 20516 times.
✓ Branch 1 taken 6 times.
|
20522 | if (secp256k1_scalar_is_zero(&r)) return; |
| 3069 | 20516 | (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */ | |
| 3070 | 20516 | secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */ | |
| 3071 | 20516 | (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */ | |
| 3072 | 20516 | secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */ | |
| 3073 | 20516 | secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */ | |
| 3074 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 20516 times.
|
20516 | CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */ |
| 3075 | } | ||
| 3076 | |||
| 3077 | 20568 | void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var) | |
| 3078 | { | ||
| 3079 | 20568 | secp256k1_fe l, r, t; | |
| 3080 | |||
| 3081 |
2/2✓ Branch 0 taken 10284 times.
✓ Branch 1 taken 10284 times.
|
30852 | (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */ |
| 3082 |
2/2✓ Branch 0 taken 184 times.
✓ Branch 1 taken 20384 times.
|
20568 | if (out) *out = l; |
| 3083 | 20568 | t = *x; /* t = x */ | |
| 3084 |
2/2✓ Branch 0 taken 10 times.
✓ Branch 1 taken 20558 times.
|
20568 | if (secp256k1_fe_normalizes_to_zero_var(&t)) { |
| 3085 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(secp256k1_fe_normalizes_to_zero(&l)); |
| 3086 | 16 | return; | |
| 3087 | } | ||
| 3088 | 20558 | secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */ | |
| 3089 | 20558 | secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */ | |
| 3090 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 20558 times.
|
20558 | CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */ |
| 3091 | 20558 | r = *x; /* r = x */ | |
| 3092 | 20558 | secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */ | |
| 3093 |
2/2✓ Branch 0 taken 20552 times.
✓ Branch 1 taken 6 times.
|
20558 | if (secp256k1_fe_normalizes_to_zero_var(&r)) return; |
| 3094 | 20552 | (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */ | |
| 3095 | 20552 | secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */ | |
| 3096 | 20552 | (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */ | |
| 3097 | 20552 | secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */ | |
| 3098 | 20552 | secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */ | |
| 3099 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 20552 times.
|
20552 | CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */ |
| 3100 | } | ||
| 3101 | |||
| 3102 | 1 | void run_inverse_tests(void) | |
| 3103 | { | ||
| 3104 | /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */ | ||
| 3105 | 1 | static const secp256k1_fe fe_cases[][2] = { | |
| 3106 | /* 0 */ | ||
| 3107 | {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), | ||
| 3108 | SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, | ||
| 3109 | /* 1 */ | ||
| 3110 | {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), | ||
| 3111 | SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, | ||
| 3112 | /* -1 */ | ||
| 3113 | {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e), | ||
| 3114 | SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)}, | ||
| 3115 | /* 2 */ | ||
| 3116 | {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2), | ||
| 3117 | SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)}, | ||
| 3118 | /* 2**128 */ | ||
| 3119 | {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0), | ||
| 3120 | SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)}, | ||
| 3121 | /* Input known to need 637 divsteps */ | ||
| 3122 | {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3), | ||
| 3123 | SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}, | ||
| 3124 | /* Input known to need 567 divsteps starting with delta=1/2. */ | ||
| 3125 | {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc), | ||
| 3126 | SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)}, | ||
| 3127 | /* Input known to need 566 divsteps starting with delta=1/2. */ | ||
| 3128 | {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae), | ||
| 3129 | SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)}, | ||
| 3130 | /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */ | ||
| 3131 | {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000), | ||
| 3132 | SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)}, | ||
| 3133 | {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192), | ||
| 3134 | SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)}, | ||
| 3135 | {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100), | ||
| 3136 | SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)}, | ||
| 3137 | {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8), | ||
| 3138 | SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)}, | ||
| 3139 | {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440), | ||
| 3140 | SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)}, | ||
| 3141 | {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff), | ||
| 3142 | SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)}, | ||
| 3143 | {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe), | ||
| 3144 | SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)}, | ||
| 3145 | {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f), | ||
| 3146 | SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)}, | ||
| 3147 | {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690), | ||
| 3148 | SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)}, | ||
| 3149 | {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000), | ||
| 3150 | SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)}, | ||
| 3151 | /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */ | ||
| 3152 | {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950), | ||
| 3153 | SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)}, | ||
| 3154 | {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057), | ||
| 3155 | SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)}, | ||
| 3156 | {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058), | ||
| 3157 | SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)}, | ||
| 3158 | {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a), | ||
| 3159 | SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)}, | ||
| 3160 | {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c), | ||
| 3161 | SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)}, | ||
| 3162 | {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21), | ||
| 3163 | SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)}, | ||
| 3164 | {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600), | ||
| 3165 | SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)}, | ||
| 3166 | {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec), | ||
| 3167 | SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)}, | ||
| 3168 | {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c), | ||
| 3169 | SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)}, | ||
| 3170 | {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696), | ||
| 3171 | SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)}, | ||
| 3172 | {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e), | ||
| 3173 | SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)}, | ||
| 3174 | {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78), | ||
| 3175 | SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)}, | ||
| 3176 | {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d), | ||
| 3177 | SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)}, | ||
| 3178 | {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870), | ||
| 3179 | SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)}, | ||
| 3180 | {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc), | ||
| 3181 | SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)}, | ||
| 3182 | {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef), | ||
| 3183 | SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)}, | ||
| 3184 | {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6), | ||
| 3185 | SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)}, | ||
| 3186 | {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709), | ||
| 3187 | SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)}, | ||
| 3188 | {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787), | ||
| 3189 | SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)}, | ||
| 3190 | {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760), | ||
| 3191 | SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)}, | ||
| 3192 | {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d), | ||
| 3193 | SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)}, | ||
| 3194 | {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3), | ||
| 3195 | SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)}, | ||
| 3196 | {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4), | ||
| 3197 | SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)}, | ||
| 3198 | {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91), | ||
| 3199 | SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)}, | ||
| 3200 | {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a), | ||
| 3201 | SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)}, | ||
| 3202 | {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9), | ||
| 3203 | SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)}, | ||
| 3204 | {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd), | ||
| 3205 | SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)}, | ||
| 3206 | {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb), | ||
| 3207 | SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)} | ||
| 3208 | }; | ||
| 3209 | /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */ | ||
| 3210 | 1 | static const secp256k1_scalar scalar_cases[][2] = { | |
| 3211 | /* 0 */ | ||
| 3212 | {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), | ||
| 3213 | SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, | ||
| 3214 | /* 1 */ | ||
| 3215 | {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), | ||
| 3216 | SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, | ||
| 3217 | /* -1 */ | ||
| 3218 | {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140), | ||
| 3219 | SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)}, | ||
| 3220 | /* 2 */ | ||
| 3221 | {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2), | ||
| 3222 | SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)}, | ||
| 3223 | /* 2**128 */ | ||
| 3224 | {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0), | ||
| 3225 | SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)}, | ||
| 3226 | /* Input known to need 635 divsteps */ | ||
| 3227 | {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3), | ||
| 3228 | SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}, | ||
| 3229 | /* Input known to need 566 divsteps starting with delta=1/2. */ | ||
| 3230 | {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72), | ||
| 3231 | SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)}, | ||
| 3232 | /* Input known to need 565 divsteps starting with delta=1/2. */ | ||
| 3233 | {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4), | ||
| 3234 | SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)}, | ||
| 3235 | /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */ | ||
| 3236 | {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e), | ||
| 3237 | SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)}, | ||
| 3238 | {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0), | ||
| 3239 | SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)}, | ||
| 3240 | {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9), | ||
| 3241 | SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)}, | ||
| 3242 | {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2), | ||
| 3243 | SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)}, | ||
| 3244 | {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905), | ||
| 3245 | SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)}, | ||
| 3246 | {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec), | ||
| 3247 | SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)}, | ||
| 3248 | {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816), | ||
| 3249 | SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)}, | ||
| 3250 | {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f), | ||
| 3251 | SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)}, | ||
| 3252 | {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a), | ||
| 3253 | SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)}, | ||
| 3254 | {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504), | ||
| 3255 | SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)}, | ||
| 3256 | {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7), | ||
| 3257 | SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)}, | ||
| 3258 | {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640), | ||
| 3259 | SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)}, | ||
| 3260 | {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03), | ||
| 3261 | SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)}, | ||
| 3262 | {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4), | ||
| 3263 | SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)}, | ||
| 3264 | {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730), | ||
| 3265 | SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)}, | ||
| 3266 | {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948), | ||
| 3267 | SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)}, | ||
| 3268 | {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f), | ||
| 3269 | SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)}, | ||
| 3270 | {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000), | ||
| 3271 | SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)}, | ||
| 3272 | {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9), | ||
| 3273 | SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)}, | ||
| 3274 | {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3), | ||
| 3275 | SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)}, | ||
| 3276 | {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189), | ||
| 3277 | SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)}, | ||
| 3278 | {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141), | ||
| 3279 | SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)}, | ||
| 3280 | {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13), | ||
| 3281 | SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)}, | ||
| 3282 | {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0), | ||
| 3283 | SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)}, | ||
| 3284 | {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785), | ||
| 3285 | SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)}, | ||
| 3286 | {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0), | ||
| 3287 | SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)}, | ||
| 3288 | {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265), | ||
| 3289 | SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)}, | ||
| 3290 | {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5), | ||
| 3291 | SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)}, | ||
| 3292 | {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8), | ||
| 3293 | SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)} | ||
| 3294 | }; | ||
| 3295 | 1 | int i, var, testrand; | |
| 3296 | 1 | unsigned char b32[32]; | |
| 3297 | 1 | secp256k1_fe x_fe; | |
| 3298 | 1 | secp256k1_scalar x_scalar; | |
| 3299 | 1 | memset(b32, 0, sizeof(b32)); | |
| 3300 | /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */ | ||
| 3301 |
2/2✓ Branch 0 taken 46 times.
✓ Branch 1 taken 1 times.
|
47 | for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) { |
| 3302 |
2/2✓ Branch 0 taken 92 times.
✓ Branch 1 taken 46 times.
|
138 | for (var = 0; var <= 1; ++var) { |
| 3303 | 92 | test_inverse_field(&x_fe, &fe_cases[i][0], var); | |
| 3304 | 92 | check_fe_equal(&x_fe, &fe_cases[i][1]); | |
| 3305 | 92 | test_inverse_field(&x_fe, &fe_cases[i][1], var); | |
| 3306 | 92 | check_fe_equal(&x_fe, &fe_cases[i][0]); | |
| 3307 | } | ||
| 3308 | } | ||
| 3309 |
2/2✓ Branch 0 taken 37 times.
✓ Branch 1 taken 1 times.
|
38 | for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) { |
| 3310 |
2/2✓ Branch 0 taken 74 times.
✓ Branch 1 taken 37 times.
|
111 | for (var = 0; var <= 1; ++var) { |
| 3311 | 74 | test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var); | |
| 3312 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 74 times.
|
74 | CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1])); |
| 3313 | 74 | test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var); | |
| 3314 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 74 times.
|
74 | CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0])); |
| 3315 | } | ||
| 3316 | } | ||
| 3317 | /* Test inputs 0..999 and their respective negations. */ | ||
| 3318 |
2/2✓ Branch 0 taken 1000 times.
✓ Branch 1 taken 1 times.
|
1001 | for (i = 0; i < 1000; ++i) { |
| 3319 | 1000 | b32[31] = i & 0xff; | |
| 3320 | 1000 | b32[30] = (i >> 8) & 0xff; | |
| 3321 | 1000 | secp256k1_scalar_set_b32(&x_scalar, b32, NULL); | |
| 3322 | 1000 | secp256k1_fe_set_b32(&x_fe, b32); | |
| 3323 |
2/2✓ Branch 1 taken 2000 times.
✓ Branch 2 taken 1000 times.
|
4000 | for (var = 0; var <= 1; ++var) { |
| 3324 | 2000 | test_inverse_scalar(NULL, &x_scalar, var); | |
| 3325 | 2000 | test_inverse_field(NULL, &x_fe, var); | |
| 3326 | } | ||
| 3327 | 1000 | secp256k1_scalar_negate(&x_scalar, &x_scalar); | |
| 3328 | 1000 | secp256k1_fe_negate(&x_fe, &x_fe, 1); | |
| 3329 |
2/2✓ Branch 0 taken 2000 times.
✓ Branch 1 taken 1000 times.
|
3000 | for (var = 0; var <= 1; ++var) { |
| 3330 | 2000 | test_inverse_scalar(NULL, &x_scalar, var); | |
| 3331 | 2000 | test_inverse_field(NULL, &x_fe, var); | |
| 3332 | } | ||
| 3333 | } | ||
| 3334 | /* test 128*count random inputs; half with testrand256_test, half with testrand256 */ | ||
| 3335 |
2/2✓ Branch 0 taken 2 times.
✓ Branch 1 taken 1 times.
|
3 | for (testrand = 0; testrand <= 1; ++testrand) { |
| 3336 |
2/2✓ Branch 0 taken 8192 times.
✓ Branch 1 taken 2 times.
|
8194 | for (i = 0; i < 64 * count; ++i) { |
| 3337 |
2/2✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 4096 times.
|
12288 | (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32); |
| 3338 | 8192 | secp256k1_scalar_set_b32(&x_scalar, b32, NULL); | |
| 3339 | 8192 | secp256k1_fe_set_b32(&x_fe, b32); | |
| 3340 |
2/2✓ Branch 1 taken 16384 times.
✓ Branch 2 taken 8192 times.
|
32768 | for (var = 0; var <= 1; ++var) { |
| 3341 | 16384 | test_inverse_scalar(NULL, &x_scalar, var); | |
| 3342 | 16384 | test_inverse_field(NULL, &x_fe, var); | |
| 3343 | } | ||
| 3344 | } | ||
| 3345 | } | ||
| 3346 | 1 | } | |
| 3347 | |||
| 3348 | /***** GROUP TESTS *****/ | ||
| 3349 | |||
| 3350 | 501 | void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) { | |
| 3351 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 501 times.
|
501 | CHECK(a->infinity == b->infinity); |
| 3352 |
1/2✓ Branch 0 taken 501 times.
✗ Branch 1 not taken.
|
501 | if (a->infinity) { |
| 3353 | return; | ||
| 3354 | } | ||
| 3355 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 501 times.
|
501 | CHECK(secp256k1_fe_equal_var(&a->x, &b->x)); |
| 3356 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 501 times.
|
501 | CHECK(secp256k1_fe_equal_var(&a->y, &b->y)); |
| 3357 | } | ||
| 3358 | |||
| 3359 | /* This compares jacobian points including their Z, not just their geometric meaning. */ | ||
| 3360 | 789 | int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) { | |
| 3361 | 789 | secp256k1_gej a2; | |
| 3362 | 789 | secp256k1_gej b2; | |
| 3363 | 789 | int ret = 1; | |
| 3364 | 789 | ret &= a->infinity == b->infinity; | |
| 3365 |
3/4✓ Branch 0 taken 789 times.
✗ Branch 1 not taken.
✓ Branch 2 taken 533 times.
✓ Branch 3 taken 256 times.
|
789 | if (ret && !a->infinity) { |
| 3366 | 533 | a2 = *a; | |
| 3367 | 533 | b2 = *b; | |
| 3368 | 533 | secp256k1_fe_normalize(&a2.x); | |
| 3369 | 533 | secp256k1_fe_normalize(&a2.y); | |
| 3370 | 533 | secp256k1_fe_normalize(&a2.z); | |
| 3371 | 533 | secp256k1_fe_normalize(&b2.x); | |
| 3372 | 533 | secp256k1_fe_normalize(&b2.y); | |
| 3373 | 533 | secp256k1_fe_normalize(&b2.z); | |
| 3374 | 533 | ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0; | |
| 3375 | 533 | ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0; | |
| 3376 | 1066 | ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0; | |
| 3377 | } | ||
| 3378 | 789 | return ret; | |
| 3379 | } | ||
| 3380 | |||
| 3381 | 4475033 | void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) { | |
| 3382 | 4475033 | secp256k1_fe z2s; | |
| 3383 | 4475033 | secp256k1_fe u1, u2, s1, s2; | |
| 3384 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4475033 times.
|
4475033 | CHECK(a->infinity == b->infinity); |
| 3385 |
2/2✓ Branch 0 taken 336728 times.
✓ Branch 1 taken 4138305 times.
|
4475033 | if (a->infinity) { |
| 3386 | 336728 | return; | |
| 3387 | } | ||
| 3388 | /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ | ||
| 3389 | 4138305 | secp256k1_fe_sqr(&z2s, &b->z); | |
| 3390 | 4138305 | secp256k1_fe_mul(&u1, &a->x, &z2s); | |
| 3391 | 4138305 | u2 = b->x; secp256k1_fe_normalize_weak(&u2); | |
| 3392 | 4138305 | secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z); | |
| 3393 | 4138305 | s2 = b->y; secp256k1_fe_normalize_weak(&s2); | |
| 3394 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4138305 times.
|
4138305 | CHECK(secp256k1_fe_equal_var(&u1, &u2)); |
| 3395 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4138305 times.
|
4138305 | CHECK(secp256k1_fe_equal_var(&s1, &s2)); |
| 3396 | } | ||
| 3397 | |||
| 3398 | 2048 | void test_ge(void) { | |
| 3399 | 2048 | int i, i1; | |
| 3400 | 2048 | int runs = 6; | |
| 3401 | /* 25 points are used: | ||
| 3402 | * - infinity | ||
| 3403 | * - for each of four random points p1 p2 p3 p4, we add the point, its | ||
| 3404 | * negation, and then those two again but with randomized Z coordinate. | ||
| 3405 | * - The same is then done for lambda*p1 and lambda^2*p1. | ||
| 3406 | */ | ||
| 3407 | 2048 | secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs)); | |
| 3408 | 2048 | secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs)); | |
| 3409 | 2048 | secp256k1_fe zf; | |
| 3410 | 2048 | secp256k1_fe zfi2, zfi3; | |
| 3411 | |||
| 3412 | 2048 | secp256k1_gej_set_infinity(&gej[0]); | |
| 3413 | 2048 | secp256k1_ge_clear(&ge[0]); | |
| 3414 | 2048 | secp256k1_ge_set_gej_var(&ge[0], &gej[0]); | |
| 3415 |
2/2✓ Branch 1 taken 12288 times.
✓ Branch 2 taken 2048 times.
|
16384 | for (i = 0; i < runs; i++) { |
| 3416 | 12288 | int j; | |
| 3417 | 12288 | secp256k1_ge g; | |
| 3418 | 12288 | random_group_element_test(&g); | |
| 3419 |
2/2✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 8192 times.
|
12288 | if (i >= runs - 2) { |
| 3420 | 4096 | secp256k1_ge_mul_lambda(&g, &ge[1]); | |
| 3421 | } | ||
| 3422 |
2/2✓ Branch 0 taken 2048 times.
✓ Branch 1 taken 2048 times.
|
4096 | if (i >= runs - 1) { |
| 3423 | 2048 | secp256k1_ge_mul_lambda(&g, &g); | |
| 3424 | } | ||
| 3425 | 12288 | ge[1 + 4 * i] = g; | |
| 3426 | 12288 | ge[2 + 4 * i] = g; | |
| 3427 | 12288 | secp256k1_ge_neg(&ge[3 + 4 * i], &g); | |
| 3428 | 12288 | secp256k1_ge_neg(&ge[4 + 4 * i], &g); | |
| 3429 | 12288 | secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); | |
| 3430 | 12288 | random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); | |
| 3431 | 12288 | secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); | |
| 3432 | 12288 | random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); | |
| 3433 |
2/2✓ Branch 1 taken 49152 times.
✓ Branch 2 taken 12288 times.
|
73728 | for (j = 0; j < 4; j++) { |
| 3434 | 49152 | random_field_element_magnitude(&ge[1 + j + 4 * i].x); | |
| 3435 | 49152 | random_field_element_magnitude(&ge[1 + j + 4 * i].y); | |
| 3436 | 49152 | random_field_element_magnitude(&gej[1 + j + 4 * i].x); | |
| 3437 | 49152 | random_field_element_magnitude(&gej[1 + j + 4 * i].y); | |
| 3438 | 49152 | random_field_element_magnitude(&gej[1 + j + 4 * i].z); | |
| 3439 | } | ||
| 3440 | } | ||
| 3441 | |||
| 3442 | /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ | ||
| 3443 | 2049 | do { | |
| 3444 | 2049 | random_field_element_test(&zf); | |
| 3445 |
2/2✓ Branch 0 taken 1 times.
✓ Branch 1 taken 2048 times.
|
2049 | } while(secp256k1_fe_is_zero(&zf)); |
| 3446 | 2048 | random_field_element_magnitude(&zf); | |
| 3447 | 2048 | secp256k1_fe_inv_var(&zfi3, &zf); | |
| 3448 | 2048 | secp256k1_fe_sqr(&zfi2, &zfi3); | |
| 3449 | 2048 | secp256k1_fe_mul(&zfi3, &zfi3, &zfi2); | |
| 3450 | |||
| 3451 |
2/2✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
|
55296 | for (i1 = 0; i1 < 1 + 4 * runs; i1++) { |
| 3452 | int i2; | ||
| 3453 |
2/2✓ Branch 0 taken 1280000 times.
✓ Branch 1 taken 51200 times.
|
1331200 | for (i2 = 0; i2 < 1 + 4 * runs; i2++) { |
| 3454 | /* Compute reference result using gej + gej (var). */ | ||
| 3455 | 1280000 | secp256k1_gej refj, resj; | |
| 3456 | 1280000 | secp256k1_ge ref; | |
| 3457 | 1280000 | secp256k1_fe zr; | |
| 3458 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
|
1331200 | secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); |
| 3459 | /* Check Z ratio. */ | ||
| 3460 |
4/4✓ Branch 0 taken 1228800 times.
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 1130496 times.
✓ Branch 3 taken 98304 times.
|
1280000 | if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) { |
| 3461 | 1130496 | secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); | |
| 3462 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1130496 times.
|
1130496 | CHECK(secp256k1_fe_equal_var(&zrz, &refj.z)); |
| 3463 | } | ||
| 3464 | 1280000 | secp256k1_ge_set_gej_var(&ref, &refj); | |
| 3465 | |||
| 3466 | /* Test gej + ge with Z ratio result (var). */ | ||
| 3467 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
|
1331200 | secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); |
| 3468 | 1280000 | ge_equals_gej(&ref, &resj); | |
| 3469 |
4/4✓ Branch 0 taken 1228800 times.
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 1130496 times.
✓ Branch 3 taken 98304 times.
|
1280000 | if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) { |
| 3470 | 1130496 | secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); | |
| 3471 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1130496 times.
|
1130496 | CHECK(secp256k1_fe_equal_var(&zrz, &resj.z)); |
| 3472 | } | ||
| 3473 | |||
| 3474 | /* Test gej + ge (var, with additional Z factor). */ | ||
| 3475 | { | ||
| 3476 | 1280000 | secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ | |
| 3477 | 1280000 | secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); | |
| 3478 | 1280000 | secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); | |
| 3479 | 1280000 | random_field_element_magnitude(&ge2_zfi.x); | |
| 3480 | 1280000 | random_field_element_magnitude(&ge2_zfi.y); | |
| 3481 | 1280000 | secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); | |
| 3482 | 1280000 | ge_equals_gej(&ref, &resj); | |
| 3483 | } | ||
| 3484 | |||
| 3485 | /* Test gej + ge (const). */ | ||
| 3486 |
2/2✓ Branch 0 taken 1228800 times.
✓ Branch 1 taken 51200 times.
|
1280000 | if (i2 != 0) { |
| 3487 | /* secp256k1_gej_add_ge does not support its second argument being infinity. */ | ||
| 3488 | 1228800 | secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]); | |
| 3489 | 1228800 | ge_equals_gej(&ref, &resj); | |
| 3490 | } | ||
| 3491 | |||
| 3492 | /* Test doubling (var). */ | ||
| 3493 |
6/6✓ Branch 0 taken 1277952 times.
✓ Branch 1 taken 2048 times.
✓ Branch 2 taken 196608 times.
✓ Branch 3 taken 1081344 times.
✓ Branch 4 taken 98304 times.
✓ Branch 5 taken 98304 times.
|
1280000 | if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { |
| 3494 | 100352 | secp256k1_fe zr2; | |
| 3495 | /* Normal doubling with Z ratio result. */ | ||
| 3496 | 100352 | secp256k1_gej_double_var(&resj, &gej[i1], &zr2); | |
| 3497 | 100352 | ge_equals_gej(&ref, &resj); | |
| 3498 | /* Check Z ratio. */ | ||
| 3499 | 100352 | secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z); | |
| 3500 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 100352 times.
|
100352 | CHECK(secp256k1_fe_equal_var(&zr2, &resj.z)); |
| 3501 | /* Normal doubling. */ | ||
| 3502 | 100352 | secp256k1_gej_double_var(&resj, &gej[i2], NULL); | |
| 3503 | 100352 | ge_equals_gej(&ref, &resj); | |
| 3504 | /* Constant-time doubling. */ | ||
| 3505 | 100352 | secp256k1_gej_double(&resj, &gej[i2]); | |
| 3506 | 100352 | ge_equals_gej(&ref, &resj); | |
| 3507 | } | ||
| 3508 | |||
| 3509 | /* Test adding opposites. */ | ||
| 3510 |
6/6✓ Branch 0 taken 1277952 times.
✓ Branch 1 taken 2048 times.
✓ Branch 2 taken 196608 times.
✓ Branch 3 taken 1081344 times.
✓ Branch 4 taken 98304 times.
✓ Branch 5 taken 98304 times.
|
1280000 | if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { |
| 3511 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 100352 times.
|
100352 | CHECK(secp256k1_ge_is_infinity(&ref)); |
| 3512 | } | ||
| 3513 | |||
| 3514 | /* Test adding infinity. */ | ||
| 3515 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
|
1280000 | if (i1 == 0) { |
| 3516 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
|
51200 | CHECK(secp256k1_ge_is_infinity(&ge[i1])); |
| 3517 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
|
51200 | CHECK(secp256k1_gej_is_infinity(&gej[i1])); |
| 3518 | 51200 | ge_equals_gej(&ref, &gej[i2]); | |
| 3519 | } | ||
| 3520 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
|
1280000 | if (i2 == 0) { |
| 3521 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
|
51200 | CHECK(secp256k1_ge_is_infinity(&ge[i2])); |
| 3522 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
|
51200 | CHECK(secp256k1_gej_is_infinity(&gej[i2])); |
| 3523 | 51200 | ge_equals_gej(&ref, &gej[i1]); | |
| 3524 | } | ||
| 3525 | } | ||
| 3526 | } | ||
| 3527 | |||
| 3528 | /* Test adding all points together in random order equals infinity. */ | ||
| 3529 | { | ||
| 3530 | 2048 | secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY; | |
| 3531 | 2048 | secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej)); | |
| 3532 |
2/2✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
|
55296 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3533 | 51200 | gej_shuffled[i] = gej[i]; | |
| 3534 | } | ||
| 3535 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
|
53248 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3536 | 51200 | int swap = i + secp256k1_testrand_int(4 * runs + 1 - i); | |
| 3537 |
2/2✓ Branch 0 taken 43409 times.
✓ Branch 1 taken 7791 times.
|
51200 | if (swap != i) { |
| 3538 | 43409 | secp256k1_gej t = gej_shuffled[i]; | |
| 3539 | 43409 | gej_shuffled[i] = gej_shuffled[swap]; | |
| 3540 | 43409 | gej_shuffled[swap] = t; | |
| 3541 | } | ||
| 3542 | } | ||
| 3543 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
|
53248 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3544 | 51200 | secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); | |
| 3545 | } | ||
| 3546 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2048 times.
|
2048 | CHECK(secp256k1_gej_is_infinity(&sum)); |
| 3547 | 2048 | free(gej_shuffled); | |
| 3548 | } | ||
| 3549 | |||
| 3550 | /* Test batch gej -> ge conversion without known z ratios. */ | ||
| 3551 | { | ||
| 3552 | 2048 | secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge)); | |
| 3553 | 2048 | secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1); | |
| 3554 |
2/2✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
|
55296 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3555 | 51200 | secp256k1_fe s; | |
| 3556 | 51200 | random_fe_non_zero(&s); | |
| 3557 | 51200 | secp256k1_gej_rescale(&gej[i], &s); | |
| 3558 | 51200 | ge_equals_gej(&ge_set_all[i], &gej[i]); | |
| 3559 | } | ||
| 3560 | 2048 | free(ge_set_all); | |
| 3561 | } | ||
| 3562 | |||
| 3563 | /* Test batch gej -> ge conversion with many infinities. */ | ||
| 3564 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
|
53248 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3565 | 51200 | int odd; | |
| 3566 | 51200 | random_group_element_test(&ge[i]); | |
| 3567 |
2/2✓ Branch 0 taken 25412 times.
✓ Branch 1 taken 25788 times.
|
51200 | odd = secp256k1_fe_is_odd(&ge[i].x); |
| 3568 | 51200 | CHECK(odd == 0 || odd == 1); | |
| 3569 | /* randomly set half the points to infinity */ | ||
| 3570 |
2/2✓ Branch 0 taken 25412 times.
✓ Branch 1 taken 25788 times.
|
51200 | if (odd == i % 2) { |
| 3571 | 25412 | secp256k1_ge_set_infinity(&ge[i]); | |
| 3572 | } | ||
| 3573 | 51200 | secp256k1_gej_set_ge(&gej[i], &ge[i]); | |
| 3574 | } | ||
| 3575 | /* batch convert */ | ||
| 3576 | 2048 | secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1); | |
| 3577 | /* check result */ | ||
| 3578 |
2/2✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
|
55296 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3579 | 51200 | ge_equals_gej(&ge[i], &gej[i]); | |
| 3580 | } | ||
| 3581 | |||
| 3582 | /* Test batch gej -> ge conversion with all infinities. */ | ||
| 3583 |
2/2✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
|
53248 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3584 | 51200 | secp256k1_gej_set_infinity(&gej[i]); | |
| 3585 | } | ||
| 3586 | /* batch convert */ | ||
| 3587 | 2048 | secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1); | |
| 3588 | /* check result */ | ||
| 3589 |
2/2✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
|
55296 | for (i = 0; i < 4 * runs + 1; i++) { |
| 3590 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
|
51200 | CHECK(secp256k1_ge_is_infinity(&ge[i])); |
| 3591 | } | ||
| 3592 | |||
| 3593 | 2048 | free(ge); | |
| 3594 | 2048 | free(gej); | |
| 3595 | 2048 | } | |
| 3596 | |||
| 3597 | |||
| 3598 | 1 | void test_intialized_inf(void) { | |
| 3599 | 1 | secp256k1_ge p; | |
| 3600 | 1 | secp256k1_gej pj, npj, infj1, infj2, infj3; | |
| 3601 | 1 | secp256k1_fe zinv; | |
| 3602 | |||
| 3603 | /* Test that adding P+(-P) results in a fully initialized infinity*/ | ||
| 3604 | 1 | random_group_element_test(&p); | |
| 3605 | 1 | secp256k1_gej_set_ge(&pj, &p); | |
| 3606 | 1 | secp256k1_gej_neg(&npj, &pj); | |
| 3607 | |||
| 3608 | 1 | secp256k1_gej_add_var(&infj1, &pj, &npj, NULL); | |
| 3609 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_gej_is_infinity(&infj1)); |
| 3610 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj1.x)); |
| 3611 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj1.y)); |
| 3612 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj1.z)); |
| 3613 | |||
| 3614 | 1 | secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL); | |
| 3615 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_gej_is_infinity(&infj2)); |
| 3616 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj2.x)); |
| 3617 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj2.y)); |
| 3618 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj2.z)); |
| 3619 | |||
| 3620 | 1 | secp256k1_fe_set_int(&zinv, 1); | |
| 3621 | 1 | secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv); | |
| 3622 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_gej_is_infinity(&infj3)); |
| 3623 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj3.x)); |
| 3624 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj3.y)); |
| 3625 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_is_zero(&infj3.z)); |
| 3626 | |||
| 3627 | |||
| 3628 | 1 | } | |
| 3629 | |||
| 3630 | 1 | void test_add_neg_y_diff_x(void) { | |
| 3631 | /* The point of this test is to check that we can add two points | ||
| 3632 | * whose y-coordinates are negatives of each other but whose x | ||
| 3633 | * coordinates differ. If the x-coordinates were the same, these | ||
| 3634 | * points would be negatives of each other and their sum is | ||
| 3635 | * infinity. This is cool because it "covers up" any degeneracy | ||
| 3636 | * in the addition algorithm that would cause the xy coordinates | ||
| 3637 | * of the sum to be wrong (since infinity has no xy coordinates). | ||
| 3638 | * HOWEVER, if the x-coordinates are different, infinity is the | ||
| 3639 | * wrong answer, and such degeneracies are exposed. This is the | ||
| 3640 | * root of https://github.com/bitcoin-core/secp256k1/issues/257 | ||
| 3641 | * which this test is a regression test for. | ||
| 3642 | * | ||
| 3643 | * These points were generated in sage as | ||
| 3644 | * # secp256k1 params | ||
| 3645 | * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) | ||
| 3646 | * C = EllipticCurve ([F (0), F (7)]) | ||
| 3647 | * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798) | ||
| 3648 | * N = FiniteField(G.order()) | ||
| 3649 | * | ||
| 3650 | * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F) | ||
| 3651 | * x = polygen(N) | ||
| 3652 | * lam = (1 - x^3).roots()[1][0] | ||
| 3653 | * | ||
| 3654 | * # random "bad pair" | ||
| 3655 | * P = C.random_element() | ||
| 3656 | * Q = -int(lam) * P | ||
| 3657 | * print " P: %x %x" % P.xy() | ||
| 3658 | * print " Q: %x %x" % Q.xy() | ||
| 3659 | * print "P + Q: %x %x" % (P + Q).xy() | ||
| 3660 | */ | ||
| 3661 | 1 | secp256k1_gej aj = SECP256K1_GEJ_CONST( | |
| 3662 | 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, | ||
| 3663 | 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, | ||
| 3664 | 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, | ||
| 3665 | 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d | ||
| 3666 | ); | ||
| 3667 | 1 | secp256k1_gej bj = SECP256K1_GEJ_CONST( | |
| 3668 | 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, | ||
| 3669 | 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, | ||
| 3670 | 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, | ||
| 3671 | 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 | ||
| 3672 | ); | ||
| 3673 | 1 | secp256k1_gej sumj = SECP256K1_GEJ_CONST( | |
| 3674 | 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, | ||
| 3675 | 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, | ||
| 3676 | 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, | ||
| 3677 | 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe | ||
| 3678 | ); | ||
| 3679 | 1 | secp256k1_ge b; | |
| 3680 | 1 | secp256k1_gej resj; | |
| 3681 | 1 | secp256k1_ge res; | |
| 3682 | 1 | secp256k1_ge_set_gej(&b, &bj); | |
| 3683 | |||
| 3684 | 1 | secp256k1_gej_add_var(&resj, &aj, &bj, NULL); | |
| 3685 | 1 | secp256k1_ge_set_gej(&res, &resj); | |
| 3686 | 1 | ge_equals_gej(&res, &sumj); | |
| 3687 | |||
| 3688 | 1 | secp256k1_gej_add_ge(&resj, &aj, &b); | |
| 3689 | 1 | secp256k1_ge_set_gej(&res, &resj); | |
| 3690 | 1 | ge_equals_gej(&res, &sumj); | |
| 3691 | |||
| 3692 | 1 | secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL); | |
| 3693 | 1 | secp256k1_ge_set_gej(&res, &resj); | |
| 3694 | 1 | ge_equals_gej(&res, &sumj); | |
| 3695 | 1 | } | |
| 3696 | |||
| 3697 | 1 | void run_ge(void) { | |
| 3698 | 1 | int i; | |
| 3699 |
2/2✓ Branch 0 taken 2048 times.
✓ Branch 1 taken 1 times.
|
2049 | for (i = 0; i < count * 32; i++) { |
| 3700 | 2048 | test_ge(); | |
| 3701 | } | ||
| 3702 | 1 | test_add_neg_y_diff_x(); | |
| 3703 | 1 | test_intialized_inf(); | |
| 3704 | 1 | } | |
| 3705 | |||
| 3706 | 384 | void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) { | |
| 3707 | 384 | secp256k1_gej t = *a; | |
| 3708 | 384 | secp256k1_gej_cmov(&t, b, 0); | |
| 3709 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 384 times.
|
384 | CHECK(gej_xyz_equals_gej(&t, a)); |
| 3710 | 384 | secp256k1_gej_cmov(&t, b, 1); | |
| 3711 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 384 times.
|
384 | CHECK(gej_xyz_equals_gej(&t, b)); |
| 3712 | 384 | } | |
| 3713 | |||
| 3714 | 1 | void run_gej(void) { | |
| 3715 | 1 | int i; | |
| 3716 | 1 | secp256k1_gej a, b; | |
| 3717 | |||
| 3718 | /* Tests for secp256k1_gej_cmov */ | ||
| 3719 |
2/2✓ Branch 0 taken 64 times.
✓ Branch 1 taken 1 times.
|
65 | for (i = 0; i < count; i++) { |
| 3720 | 64 | secp256k1_gej_set_infinity(&a); | |
| 3721 | 64 | secp256k1_gej_set_infinity(&b); | |
| 3722 | 64 | test_gej_cmov(&a, &b); | |
| 3723 | |||
| 3724 | 64 | random_gej_test(&a); | |
| 3725 | 64 | test_gej_cmov(&a, &b); | |
| 3726 | 64 | test_gej_cmov(&b, &a); | |
| 3727 | |||
| 3728 | 64 | b = a; | |
| 3729 | 64 | test_gej_cmov(&a, &b); | |
| 3730 | |||
| 3731 | 64 | random_gej_test(&b); | |
| 3732 | 64 | test_gej_cmov(&a, &b); | |
| 3733 | 64 | test_gej_cmov(&b, &a); | |
| 3734 | } | ||
| 3735 | 1 | } | |
| 3736 | |||
| 3737 | 512 | void test_ec_combine(void) { | |
| 3738 | 512 | secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 3739 | 512 | secp256k1_pubkey data[6]; | |
| 3740 | 512 | const secp256k1_pubkey* d[6]; | |
| 3741 | 512 | secp256k1_pubkey sd; | |
| 3742 | 512 | secp256k1_pubkey sd2; | |
| 3743 | 512 | secp256k1_gej Qj; | |
| 3744 | 512 | secp256k1_ge Q; | |
| 3745 | 512 | int i; | |
| 3746 |
2/2✓ Branch 0 taken 3072 times.
✓ Branch 1 taken 512 times.
|
3584 | for (i = 1; i <= 6; i++) { |
| 3747 | 3072 | secp256k1_scalar s; | |
| 3748 | 3072 | random_scalar_order_test(&s); | |
| 3749 | 3072 | secp256k1_scalar_add(&sum, &sum, &s); | |
| 3750 | 3072 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s); | |
| 3751 | 3072 | secp256k1_ge_set_gej(&Q, &Qj); | |
| 3752 | 3072 | secp256k1_pubkey_save(&data[i - 1], &Q); | |
| 3753 | 3072 | d[i - 1] = &data[i - 1]; | |
| 3754 | 3072 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum); | |
| 3755 | 3072 | secp256k1_ge_set_gej(&Q, &Qj); | |
| 3756 | 3072 | secp256k1_pubkey_save(&sd, &Q); | |
| 3757 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 3072 times.
|
3072 | CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1); |
| 3758 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 3072 times.
|
3072 | CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0); |
| 3759 | } | ||
| 3760 | 512 | } | |
| 3761 | |||
| 3762 | 1 | void run_ec_combine(void) { | |
| 3763 | 1 | int i; | |
| 3764 |
2/2✓ Branch 0 taken 512 times.
✓ Branch 1 taken 1 times.
|
513 | for (i = 0; i < count * 8; i++) { |
| 3765 | 512 | test_ec_combine(); | |
| 3766 | } | ||
| 3767 | 1 | } | |
| 3768 | |||
| 3769 | 512 | void test_ec_commit(void) { | |
| 3770 | 512 | secp256k1_scalar seckey_s; | |
| 3771 | 512 | secp256k1_ge pubkey; | |
| 3772 | 512 | secp256k1_gej pubkeyj; | |
| 3773 | 512 | secp256k1_ge commitment; | |
| 3774 | 512 | unsigned char data[32]; | |
| 3775 | 512 | secp256k1_sha256 sha; | |
| 3776 | |||
| 3777 | /* Create random keypair and data */ | ||
| 3778 | 512 | random_scalar_order_test(&seckey_s); | |
| 3779 | 512 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); | |
| 3780 | 512 | secp256k1_ge_set_gej(&pubkey, &pubkeyj); | |
| 3781 | 512 | secp256k1_testrand256_test(data); | |
| 3782 | |||
| 3783 | /* Commit to data and verify */ | ||
| 3784 | 512 | secp256k1_sha256_initialize(&sha); | |
| 3785 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ec_commit(&commitment, &pubkey, &sha, data, 32) == 1); |
| 3786 | 512 | secp256k1_sha256_initialize(&sha); | |
| 3787 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 32) == 1); |
| 3788 | 512 | secp256k1_sha256_initialize(&sha); | |
| 3789 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 1); |
| 3790 | 512 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); | |
| 3791 | 512 | ge_equals_gej(&commitment, &pubkeyj); | |
| 3792 | |||
| 3793 | /* Check that verification fails with different data */ | ||
| 3794 | 512 | secp256k1_sha256_initialize(&sha); | |
| 3795 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 31) == 0); |
| 3796 | |||
| 3797 | /* Check that commmitting fails when the inner pubkey is the point at | ||
| 3798 | * infinity */ | ||
| 3799 | 512 | secp256k1_sha256_initialize(&sha); | |
| 3800 | 512 | secp256k1_ge_set_infinity(&pubkey); | |
| 3801 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ec_commit(&commitment, &pubkey, &sha, data, 32) == 0); |
| 3802 | 512 | secp256k1_scalar_set_int(&seckey_s, 0); | |
| 3803 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 0); |
| 3804 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 32) == 0); |
| 3805 | 512 | } | |
| 3806 | |||
| 3807 | 1 | void test_ec_commit_api(void) { | |
| 3808 | 1 | unsigned char seckey[32]; | |
| 3809 | 1 | secp256k1_scalar seckey_s; | |
| 3810 | 1 | secp256k1_ge pubkey; | |
| 3811 | 1 | secp256k1_gej pubkeyj; | |
| 3812 | 1 | secp256k1_ge commitment; | |
| 3813 | 1 | unsigned char data[32]; | |
| 3814 | 1 | secp256k1_sha256 sha; | |
| 3815 | |||
| 3816 | 1 | memset(data, 23, sizeof(data)); | |
| 3817 | |||
| 3818 | /* Create random keypair */ | ||
| 3819 | 1 | random_scalar_order_test(&seckey_s); | |
| 3820 | 1 | secp256k1_scalar_get_b32(seckey, &seckey_s); | |
| 3821 | 1 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); | |
| 3822 | 1 | secp256k1_ge_set_gej(&pubkey, &pubkeyj); | |
| 3823 | |||
| 3824 | 1 | secp256k1_sha256_initialize(&sha); | |
| 3825 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_commit(&commitment, &pubkey, &sha, data, 1) == 1); |
| 3826 | /* The same pubkey can be both input and output of the function */ | ||
| 3827 | { | ||
| 3828 | 1 | secp256k1_ge pubkey_tmp = pubkey; | |
| 3829 | 1 | secp256k1_sha256_initialize(&sha); | |
| 3830 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_commit(&pubkey_tmp, &pubkey_tmp, &sha, data, 1) == 1); |
| 3831 | 1 | ge_equals_ge(&commitment, &pubkey_tmp); | |
| 3832 | } | ||
| 3833 | |||
| 3834 | 1 | secp256k1_sha256_initialize(&sha); | |
| 3835 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 1) == 1); |
| 3836 | 1 | } | |
| 3837 | |||
| 3838 | 1 | void run_ec_commit(void) { | |
| 3839 | 1 | int i; | |
| 3840 |
2/2✓ Branch 0 taken 512 times.
✓ Branch 1 taken 1 times.
|
513 | for (i = 0; i < count * 8; i++) { |
| 3841 | 512 | test_ec_commit(); | |
| 3842 | } | ||
| 3843 | 1 | test_ec_commit_api(); | |
| 3844 | 1 | } | |
| 3845 | |||
| 3846 | 256 | void test_group_decompress(const secp256k1_fe* x) { | |
| 3847 | /* The input itself, normalized. */ | ||
| 3848 | 256 | secp256k1_fe fex = *x; | |
| 3849 | 256 | secp256k1_fe fez; | |
| 3850 | /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */ | ||
| 3851 | 256 | secp256k1_ge ge_quad, ge_even, ge_odd; | |
| 3852 | 256 | secp256k1_gej gej_quad; | |
| 3853 | /* Return values of the above calls. */ | ||
| 3854 | 256 | int res_quad, res_even, res_odd; | |
| 3855 | |||
| 3856 | 256 | secp256k1_fe_normalize_var(&fex); | |
| 3857 | |||
| 3858 | 256 | res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex); | |
| 3859 | 256 | res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0); | |
| 3860 | 256 | res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1); | |
| 3861 | |||
| 3862 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
|
256 | CHECK(res_quad == res_even); |
| 3863 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
|
256 | CHECK(res_quad == res_odd); |
| 3864 | |||
| 3865 |
2/2✓ Branch 0 taken 135 times.
✓ Branch 1 taken 121 times.
|
256 | if (res_quad) { |
| 3866 | 135 | secp256k1_fe_normalize_var(&ge_quad.x); | |
| 3867 | 135 | secp256k1_fe_normalize_var(&ge_odd.x); | |
| 3868 | 135 | secp256k1_fe_normalize_var(&ge_even.x); | |
| 3869 | 135 | secp256k1_fe_normalize_var(&ge_quad.y); | |
| 3870 | 135 | secp256k1_fe_normalize_var(&ge_odd.y); | |
| 3871 | 135 | secp256k1_fe_normalize_var(&ge_even.y); | |
| 3872 | |||
| 3873 | /* No infinity allowed. */ | ||
| 3874 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(!ge_quad.infinity); |
| 3875 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(!ge_even.infinity); |
| 3876 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(!ge_odd.infinity); |
| 3877 | |||
| 3878 | /* Check that the x coordinates check out. */ | ||
| 3879 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(secp256k1_fe_equal_var(&ge_quad.x, x)); |
| 3880 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(secp256k1_fe_equal_var(&ge_even.x, x)); |
| 3881 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(secp256k1_fe_equal_var(&ge_odd.x, x)); |
| 3882 | |||
| 3883 | /* Check that the Y coordinate result in ge_quad is a square. */ | ||
| 3884 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
|
135 | CHECK(secp256k1_fe_is_quad_var(&ge_quad.y)); |
| 3885 | |||
| 3886 | /* Check odd/even Y in ge_odd, ge_even. */ | ||
| 3887 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(secp256k1_fe_is_odd(&ge_odd.y)); |
| 3888 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | CHECK(!secp256k1_fe_is_odd(&ge_even.y)); |
| 3889 | |||
| 3890 | /* Check secp256k1_gej_has_quad_y_var. */ | ||
| 3891 | 135 | secp256k1_gej_set_ge(&gej_quad, &ge_quad); | |
| 3892 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
|
135 | CHECK(secp256k1_gej_has_quad_y_var(&gej_quad)); |
| 3893 | 135 | do { | |
| 3894 | 135 | random_fe_test(&fez); | |
| 3895 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | } while (secp256k1_fe_is_zero(&fez)); |
| 3896 | 135 | secp256k1_gej_rescale(&gej_quad, &fez); | |
| 3897 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
|
135 | CHECK(secp256k1_gej_has_quad_y_var(&gej_quad)); |
| 3898 | 135 | secp256k1_gej_neg(&gej_quad, &gej_quad); | |
| 3899 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
|
135 | CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad)); |
| 3900 | 135 | do { | |
| 3901 | 135 | random_fe_test(&fez); | |
| 3902 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
|
135 | } while (secp256k1_fe_is_zero(&fez)); |
| 3903 | 135 | secp256k1_gej_rescale(&gej_quad, &fez); | |
| 3904 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
|
135 | CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad)); |
| 3905 | 135 | secp256k1_gej_neg(&gej_quad, &gej_quad); | |
| 3906 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
|
135 | CHECK(secp256k1_gej_has_quad_y_var(&gej_quad)); |
| 3907 | } | ||
| 3908 | 256 | } | |
| 3909 | |||
| 3910 | 1 | void run_group_decompress(void) { | |
| 3911 | 1 | int i; | |
| 3912 |
2/2✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
|
257 | for (i = 0; i < count * 4; i++) { |
| 3913 | 256 | secp256k1_fe fe; | |
| 3914 | 256 | random_fe_test(&fe); | |
| 3915 | 256 | test_group_decompress(&fe); | |
| 3916 | } | ||
| 3917 | 1 | } | |
| 3918 | |||
| 3919 | /***** ECMULT TESTS *****/ | ||
| 3920 | |||
| 3921 | 2 | void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) { | |
| 3922 | /* Tests the pre_g / pre_g_128 tables for consistency. | ||
| 3923 | * For independent verification we take a "geometric" approach to verification. | ||
| 3924 | * We check that every entry is on-curve. | ||
| 3925 | * We check that for consecutive entries p and q, that p + gg - q = 0 by checking | ||
| 3926 | * (1) p, gg, and -q are colinear. | ||
| 3927 | * (2) p, gg, and -q are all distinct. | ||
| 3928 | * where gg is twice the generator, where the generator is the first table entry. | ||
| 3929 | * | ||
| 3930 | * Checking the table's generators are correct is done in run_ecmult_pre_g. | ||
| 3931 | */ | ||
| 3932 | 2 | secp256k1_gej g2; | |
| 3933 | 2 | secp256k1_ge p, q, gg; | |
| 3934 | 2 | secp256k1_fe dpx, dpy, dqx, dqy; | |
| 3935 | 2 | size_t i; | |
| 3936 | |||
| 3937 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(0 < n); |
| 3938 | |||
| 3939 | 2 | secp256k1_ge_from_storage(&p, &pre_g[0]); | |
| 3940 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ge_is_valid_var(&p)); |
| 3941 | |||
| 3942 | 2 | secp256k1_gej_set_ge(&g2, &p); | |
| 3943 | 2 | secp256k1_gej_double_var(&g2, &g2, NULL); | |
| 3944 | 2 | secp256k1_ge_set_gej_var(&gg, &g2); | |
| 3945 |
2/2✓ Branch 1 taken 16382 times.
✓ Branch 2 taken 2 times.
|
16386 | for (i = 1; i < n; ++i) { |
| 3946 | 16382 | secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx); | |
| 3947 | 16382 | secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy); | |
| 3948 | /* Check that p is not equal to gg */ | ||
| 3949 |
1/4✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
|
16382 | CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy)); |
| 3950 | |||
| 3951 | 16382 | secp256k1_ge_from_storage(&q, &pre_g[i]); | |
| 3952 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 16382 times.
|
16382 | CHECK(secp256k1_ge_is_valid_var(&q)); |
| 3953 | |||
| 3954 | 16382 | secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx); | |
| 3955 | 16382 | dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy); | |
| 3956 | /* Check that -q is not equal to gg */ | ||
| 3957 |
1/4✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
|
16382 | CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy)); |
| 3958 | |||
| 3959 | /* Check that -q is not equal to p */ | ||
| 3960 |
1/4✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
|
16382 | CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy)); |
| 3961 | |||
| 3962 | /* Check that p, -q and gg are colinear */ | ||
| 3963 | 16382 | secp256k1_fe_mul(&dpx, &dpx, &dqy); | |
| 3964 | 16382 | secp256k1_fe_mul(&dpy, &dpy, &dqx); | |
| 3965 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
|
16382 | CHECK(secp256k1_fe_equal_var(&dpx, &dpy)); |
| 3966 | |||
| 3967 | 16382 | p = q; | |
| 3968 | } | ||
| 3969 | 2 | } | |
| 3970 | |||
| 3971 | 1 | void run_ecmult_pre_g(void) { | |
| 3972 | 1 | secp256k1_ge_storage gs; | |
| 3973 | 1 | secp256k1_gej gj; | |
| 3974 | 1 | secp256k1_ge g; | |
| 3975 | 1 | size_t i; | |
| 3976 | |||
| 3977 | /* Check that the pre_g and pre_g_128 tables are consistent. */ | ||
| 3978 | 1 | test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G)); | |
| 3979 | 1 | test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G)); | |
| 3980 | |||
| 3981 | /* Check the first entry from the pre_g table. */ | ||
| 3982 | 1 | secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g); | |
| 3983 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0); |
| 3984 | |||
| 3985 | /* Check the first entry from the pre_g_128 table. */ | ||
| 3986 | 1 | secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); | |
| 3987 |
2/2✓ Branch 1 taken 128 times.
✓ Branch 2 taken 1 times.
|
130 | for (i = 0; i < 128; ++i) { |
| 3988 | 128 | secp256k1_gej_double_var(&gj, &gj, NULL); | |
| 3989 | } | ||
| 3990 | 1 | secp256k1_ge_set_gej(&g, &gj); | |
| 3991 | 1 | secp256k1_ge_to_storage(&gs, &g); | |
| 3992 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0); |
| 3993 | 1 | } | |
| 3994 | |||
| 3995 | 1 | void run_ecmult_chain(void) { | |
| 3996 | /* random starting point A (on the curve) */ | ||
| 3997 | 1 | secp256k1_gej a = SECP256K1_GEJ_CONST( | |
| 3998 | 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, | ||
| 3999 | 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, | ||
| 4000 | 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, | ||
| 4001 | 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f | ||
| 4002 | ); | ||
| 4003 | /* two random initial factors xn and gn */ | ||
| 4004 | 1 | secp256k1_scalar xn = SECP256K1_SCALAR_CONST( | |
| 4005 | 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, | ||
| 4006 | 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 | ||
| 4007 | ); | ||
| 4008 | 1 | secp256k1_scalar gn = SECP256K1_SCALAR_CONST( | |
| 4009 | 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, | ||
| 4010 | 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de | ||
| 4011 | ); | ||
| 4012 | /* two small multipliers to be applied to xn and gn in every iteration: */ | ||
| 4013 | 1 | static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); | |
| 4014 | 1 | static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); | |
| 4015 | /* accumulators with the resulting coefficients to A and G */ | ||
| 4016 | 1 | secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); | |
| 4017 | 1 | secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 4018 | /* actual points */ | ||
| 4019 | 1 | secp256k1_gej x; | |
| 4020 | 1 | secp256k1_gej x2; | |
| 4021 | 1 | int i; | |
| 4022 | |||
| 4023 | /* the point being computed */ | ||
| 4024 | 1 | x = a; | |
| 4025 |
2/2✓ Branch 0 taken 12800 times.
✓ Branch 1 taken 1 times.
|
12801 | for (i = 0; i < 200*count; i++) { |
| 4026 | /* in each iteration, compute X = xn*X + gn*G; */ | ||
| 4027 | 12800 | secp256k1_ecmult(&x, &x, &xn, &gn); | |
| 4028 | /* also compute ae and ge: the actual accumulated factors for A and G */ | ||
| 4029 | /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ | ||
| 4030 | 12800 | secp256k1_scalar_mul(&ae, &ae, &xn); | |
| 4031 | 12800 | secp256k1_scalar_mul(&ge, &ge, &xn); | |
| 4032 | 12800 | secp256k1_scalar_add(&ge, &ge, &gn); | |
| 4033 | /* modify xn and gn */ | ||
| 4034 | 12800 | secp256k1_scalar_mul(&xn, &xn, &xf); | |
| 4035 | 12800 | secp256k1_scalar_mul(&gn, &gn, &gf); | |
| 4036 | |||
| 4037 | /* verify */ | ||
| 4038 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | if (i == 19999) { |
| 4039 | /* expected result after 19999 iterations */ | ||
| 4040 | ✗ | secp256k1_gej rp = SECP256K1_GEJ_CONST( | |
| 4041 | 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, | ||
| 4042 | 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, | ||
| 4043 | 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, | ||
| 4044 | 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 | ||
| 4045 | ); | ||
| 4046 | |||
| 4047 | ✗ | secp256k1_gej_neg(&rp, &rp); | |
| 4048 | ✗ | secp256k1_gej_add_var(&rp, &rp, &x, NULL); | |
| 4049 | ✗ | CHECK(secp256k1_gej_is_infinity(&rp)); | |
| 4050 | } | ||
| 4051 | } | ||
| 4052 | /* redo the computation, but directly with the resulting ae and ge coefficients: */ | ||
| 4053 | 1 | secp256k1_ecmult(&x2, &a, &ae, &ge); | |
| 4054 | 1 | secp256k1_gej_neg(&x2, &x2); | |
| 4055 | 1 | secp256k1_gej_add_var(&x2, &x2, &x, NULL); | |
| 4056 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_gej_is_infinity(&x2)); |
| 4057 | 1 | } | |
| 4058 | |||
| 4059 | 250 | void test_point_times_order(const secp256k1_gej *point) { | |
| 4060 | /* X * (point + G) + (order-X) * (pointer + G) = 0 */ | ||
| 4061 | 250 | secp256k1_scalar x; | |
| 4062 | 250 | secp256k1_scalar nx; | |
| 4063 | 250 | secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 4064 | 250 | secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); | |
| 4065 | 250 | secp256k1_gej res1, res2; | |
| 4066 | 250 | secp256k1_ge res3; | |
| 4067 | 250 | unsigned char pub[65]; | |
| 4068 | 250 | size_t psize = 65; | |
| 4069 | 250 | random_scalar_order_test(&x); | |
| 4070 | 250 | secp256k1_scalar_negate(&nx, &x); | |
| 4071 | 250 | secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */ | |
| 4072 | 250 | secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ | |
| 4073 | 250 | secp256k1_gej_add_var(&res1, &res1, &res2, NULL); | |
| 4074 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 250 times.
|
250 | CHECK(secp256k1_gej_is_infinity(&res1)); |
| 4075 | 250 | secp256k1_ge_set_gej(&res3, &res1); | |
| 4076 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 250 times.
|
250 | CHECK(secp256k1_ge_is_infinity(&res3)); |
| 4077 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
|
250 | CHECK(secp256k1_ge_is_valid_var(&res3) == 0); |
| 4078 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
|
250 | CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); |
| 4079 | 250 | psize = 65; | |
| 4080 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
|
250 | CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); |
| 4081 | /* check zero/one edge cases */ | ||
| 4082 | 250 | secp256k1_ecmult(&res1, point, &zero, &zero); | |
| 4083 | 250 | secp256k1_ge_set_gej(&res3, &res1); | |
| 4084 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 250 times.
|
250 | CHECK(secp256k1_ge_is_infinity(&res3)); |
| 4085 | 250 | secp256k1_ecmult(&res1, point, &one, &zero); | |
| 4086 | 250 | secp256k1_ge_set_gej(&res3, &res1); | |
| 4087 | 250 | ge_equals_gej(&res3, point); | |
| 4088 | 250 | secp256k1_ecmult(&res1, point, &zero, &one); | |
| 4089 | 250 | secp256k1_ge_set_gej(&res3, &res1); | |
| 4090 | 250 | ge_equals_ge(&res3, &secp256k1_ge_const_g); | |
| 4091 | 250 | } | |
| 4092 | |||
| 4093 | /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda. | ||
| 4094 | * | ||
| 4095 | * They are computed as: | ||
| 4096 | * - For a in [-2, -1, 0, 1, 2]: | ||
| 4097 | * - For b in [-3, -1, 1, 3]: | ||
| 4098 | * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER | ||
| 4099 | */ | ||
| 4100 | static const secp256k1_scalar scalars_near_split_bounds[20] = { | ||
| 4101 | SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc), | ||
| 4102 | SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd), | ||
| 4103 | SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe), | ||
| 4104 | SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff), | ||
| 4105 | SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d), | ||
| 4106 | SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e), | ||
| 4107 | SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f), | ||
| 4108 | SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330), | ||
| 4109 | SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f), | ||
| 4110 | SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0), | ||
| 4111 | SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1), | ||
| 4112 | SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2), | ||
| 4113 | SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11), | ||
| 4114 | SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12), | ||
| 4115 | SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13), | ||
| 4116 | SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14), | ||
| 4117 | SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42), | ||
| 4118 | SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43), | ||
| 4119 | SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44), | ||
| 4120 | SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45) | ||
| 4121 | }; | ||
| 4122 | |||
| 4123 | 15360 | void test_ecmult_target(const secp256k1_scalar* target, int mode) { | |
| 4124 | /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */ | ||
| 4125 | 15360 | secp256k1_scalar n1, n2; | |
| 4126 | 15360 | secp256k1_ge p; | |
| 4127 | 15360 | secp256k1_gej pj, p1j, p2j, ptj; | |
| 4128 | 15360 | static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 4129 | |||
| 4130 | /* Generate random n1,n2 such that n1+n2 = -target. */ | ||
| 4131 | 15360 | random_scalar_order_test(&n1); | |
| 4132 | 15360 | secp256k1_scalar_add(&n2, &n1, target); | |
| 4133 | 15360 | secp256k1_scalar_negate(&n2, &n2); | |
| 4134 | |||
| 4135 | /* Generate a random input point. */ | ||
| 4136 |
2/2✓ Branch 0 taken 5120 times.
✓ Branch 1 taken 10240 times.
|
15360 | if (mode != 0) { |
| 4137 | 10240 | random_group_element_test(&p); | |
| 4138 | 10240 | secp256k1_gej_set_ge(&pj, &p); | |
| 4139 | } | ||
| 4140 | |||
| 4141 | /* EC multiplications */ | ||
| 4142 | 15360 | if (mode == 0) { | |
| 4143 | 5120 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1); | |
| 4144 | 5120 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2); | |
| 4145 | 5120 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target); | |
| 4146 |
2/2✓ Branch 0 taken 5120 times.
✓ Branch 1 taken 5120 times.
|
10240 | } else if (mode == 1) { |
| 4147 | 5120 | secp256k1_ecmult(&p1j, &pj, &n1, &zero); | |
| 4148 | 5120 | secp256k1_ecmult(&p2j, &pj, &n2, &zero); | |
| 4149 | 5120 | secp256k1_ecmult(&ptj, &pj, target, &zero); | |
| 4150 | } else { | ||
| 4151 | 5120 | secp256k1_ecmult_const(&p1j, &p, &n1, 256); | |
| 4152 | 5120 | secp256k1_ecmult_const(&p2j, &p, &n2, 256); | |
| 4153 | 5120 | secp256k1_ecmult_const(&ptj, &p, target, 256); | |
| 4154 | } | ||
| 4155 | |||
| 4156 | /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */ | ||
| 4157 | 15360 | secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL); | |
| 4158 | 15360 | secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL); | |
| 4159 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 15360 times.
|
15360 | CHECK(secp256k1_gej_is_infinity(&ptj)); |
| 4160 | 15360 | } | |
| 4161 | |||
| 4162 | 1 | void run_ecmult_near_split_bound(void) { | |
| 4163 | 1 | int i; | |
| 4164 | 1 | unsigned j; | |
| 4165 |
2/2✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
|
257 | for (i = 0; i < 4*count; ++i) { |
| 4166 |
2/2✓ Branch 0 taken 5120 times.
✓ Branch 1 taken 256 times.
|
5376 | for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) { |
| 4167 | 5120 | test_ecmult_target(&scalars_near_split_bounds[j], 0); | |
| 4168 | 5120 | test_ecmult_target(&scalars_near_split_bounds[j], 1); | |
| 4169 | 5120 | test_ecmult_target(&scalars_near_split_bounds[j], 2); | |
| 4170 | } | ||
| 4171 | } | ||
| 4172 | 1 | } | |
| 4173 | |||
| 4174 | 1 | void run_point_times_order(void) { | |
| 4175 | 1 | int i; | |
| 4176 | 1 | secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); | |
| 4177 | 1 | static const secp256k1_fe xr = SECP256K1_FE_CONST( | |
| 4178 | 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, | ||
| 4179 | 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 | ||
| 4180 | ); | ||
| 4181 |
2/2✓ Branch 0 taken 500 times.
✓ Branch 1 taken 1 times.
|
501 | for (i = 0; i < 500; i++) { |
| 4182 | 500 | secp256k1_ge p; | |
| 4183 |
2/2✓ Branch 1 taken 250 times.
✓ Branch 2 taken 250 times.
|
500 | if (secp256k1_ge_set_xo_var(&p, &x, 1)) { |
| 4184 | 250 | secp256k1_gej j; | |
| 4185 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
|
250 | CHECK(secp256k1_ge_is_valid_var(&p)); |
| 4186 | 250 | secp256k1_gej_set_ge(&j, &p); | |
| 4187 | 250 | test_point_times_order(&j); | |
| 4188 | } | ||
| 4189 | 500 | secp256k1_fe_sqr(&x, &x); | |
| 4190 | } | ||
| 4191 | 1 | secp256k1_fe_normalize_var(&x); | |
| 4192 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_fe_equal_var(&x, &xr)); |
| 4193 | 1 | } | |
| 4194 | |||
| 4195 | 1 | void ecmult_const_random_mult(void) { | |
| 4196 | /* random starting point A (on the curve) */ | ||
| 4197 | 1 | secp256k1_ge a = SECP256K1_GE_CONST( | |
| 4198 | 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, | ||
| 4199 | 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, | ||
| 4200 | 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, | ||
| 4201 | 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d | ||
| 4202 | ); | ||
| 4203 | /* random initial factor xn */ | ||
| 4204 | 1 | secp256k1_scalar xn = SECP256K1_SCALAR_CONST( | |
| 4205 | 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, | ||
| 4206 | 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b | ||
| 4207 | ); | ||
| 4208 | /* expected xn * A (from sage) */ | ||
| 4209 | 1 | secp256k1_ge expected_b = SECP256K1_GE_CONST( | |
| 4210 | 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, | ||
| 4211 | 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, | ||
| 4212 | 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, | ||
| 4213 | 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 | ||
| 4214 | ); | ||
| 4215 | 1 | secp256k1_gej b; | |
| 4216 | 1 | secp256k1_ecmult_const(&b, &a, &xn, 256); | |
| 4217 | |||
| 4218 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ge_is_valid_var(&a)); |
| 4219 | 1 | ge_equals_gej(&expected_b, &b); | |
| 4220 | 1 | } | |
| 4221 | |||
| 4222 | 1 | void ecmult_const_commutativity(void) { | |
| 4223 | 1 | secp256k1_scalar a; | |
| 4224 | 1 | secp256k1_scalar b; | |
| 4225 | 1 | secp256k1_gej res1; | |
| 4226 | 1 | secp256k1_gej res2; | |
| 4227 | 1 | secp256k1_ge mid1; | |
| 4228 | 1 | secp256k1_ge mid2; | |
| 4229 | 1 | random_scalar_order_test(&a); | |
| 4230 | 1 | random_scalar_order_test(&b); | |
| 4231 | |||
| 4232 | 1 | secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256); | |
| 4233 | 1 | secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256); | |
| 4234 | 1 | secp256k1_ge_set_gej(&mid1, &res1); | |
| 4235 | 1 | secp256k1_ge_set_gej(&mid2, &res2); | |
| 4236 | 1 | secp256k1_ecmult_const(&res1, &mid1, &b, 256); | |
| 4237 | 1 | secp256k1_ecmult_const(&res2, &mid2, &a, 256); | |
| 4238 | 1 | secp256k1_ge_set_gej(&mid1, &res1); | |
| 4239 | 1 | secp256k1_ge_set_gej(&mid2, &res2); | |
| 4240 | 1 | ge_equals_ge(&mid1, &mid2); | |
| 4241 | 1 | } | |
| 4242 | |||
| 4243 | 1 | void ecmult_const_mult_zero_one(void) { | |
| 4244 | 1 | secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 4245 | 1 | secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); | |
| 4246 | 1 | secp256k1_scalar negone; | |
| 4247 | 1 | secp256k1_gej res1; | |
| 4248 | 1 | secp256k1_ge res2; | |
| 4249 | 1 | secp256k1_ge point; | |
| 4250 | 1 | secp256k1_scalar_negate(&negone, &one); | |
| 4251 | |||
| 4252 | 1 | random_group_element_test(&point); | |
| 4253 | 1 | secp256k1_ecmult_const(&res1, &point, &zero, 3); | |
| 4254 | 1 | secp256k1_ge_set_gej(&res2, &res1); | |
| 4255 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_ge_is_infinity(&res2)); |
| 4256 | 1 | secp256k1_ecmult_const(&res1, &point, &one, 2); | |
| 4257 | 1 | secp256k1_ge_set_gej(&res2, &res1); | |
| 4258 | 1 | ge_equals_ge(&res2, &point); | |
| 4259 | 1 | secp256k1_ecmult_const(&res1, &point, &negone, 256); | |
| 4260 | 1 | secp256k1_gej_neg(&res1, &res1); | |
| 4261 | 1 | secp256k1_ge_set_gej(&res2, &res1); | |
| 4262 | 1 | ge_equals_ge(&res2, &point); | |
| 4263 | 1 | } | |
| 4264 | |||
| 4265 | 1 | void ecmult_const_chain_multiply(void) { | |
| 4266 | /* Check known result (randomly generated test problem from sage) */ | ||
| 4267 | 1 | const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST( | |
| 4268 | 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, | ||
| 4269 | 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b | ||
| 4270 | ); | ||
| 4271 | 1 | const secp256k1_gej expected_point = SECP256K1_GEJ_CONST( | |
| 4272 | 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, | ||
| 4273 | 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, | ||
| 4274 | 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, | ||
| 4275 | 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 | ||
| 4276 | ); | ||
| 4277 | 1 | secp256k1_gej point; | |
| 4278 | 1 | secp256k1_ge res; | |
| 4279 | 1 | int i; | |
| 4280 | |||
| 4281 | 1 | secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g); | |
| 4282 |
2/2✓ Branch 1 taken 100 times.
✓ Branch 2 taken 1 times.
|
102 | for (i = 0; i < 100; ++i) { |
| 4283 | 100 | secp256k1_ge tmp; | |
| 4284 | 100 | secp256k1_ge_set_gej(&tmp, &point); | |
| 4285 | 100 | secp256k1_ecmult_const(&point, &tmp, &scalar, 256); | |
| 4286 | } | ||
| 4287 | 1 | secp256k1_ge_set_gej(&res, &point); | |
| 4288 | 1 | ge_equals_gej(&res, &expected_point); | |
| 4289 | 1 | } | |
| 4290 | |||
| 4291 | 1 | void run_ecmult_const_tests(void) { | |
| 4292 | 1 | ecmult_const_mult_zero_one(); | |
| 4293 | 1 | ecmult_const_random_mult(); | |
| 4294 | 1 | ecmult_const_commutativity(); | |
| 4295 | 1 | ecmult_const_chain_multiply(); | |
| 4296 | 1 | } | |
| 4297 | |||
| 4298 | typedef struct { | ||
| 4299 | secp256k1_scalar *sc; | ||
| 4300 | secp256k1_ge *pt; | ||
| 4301 | } ecmult_multi_data; | ||
| 4302 | |||
| 4303 | 183543 | static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { | |
| 4304 | 183543 | ecmult_multi_data *data = (ecmult_multi_data*) cbdata; | |
| 4305 | 183543 | *sc = data->sc[idx]; | |
| 4306 | 183543 | *pt = data->pt[idx]; | |
| 4307 | 183543 | return 1; | |
| 4308 | } | ||
| 4309 | |||
| 4310 | 320 | static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { | |
| 4311 | 320 | (void)sc; | |
| 4312 | 320 | (void)pt; | |
| 4313 | 320 | (void)idx; | |
| 4314 | 320 | (void)cbdata; | |
| 4315 | 320 | return 0; | |
| 4316 | } | ||
| 4317 | |||
| 4318 | 5 | void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) { | |
| 4319 | 5 | int ncount; | |
| 4320 | 5 | secp256k1_scalar szero; | |
| 4321 | 5 | secp256k1_scalar sc[32]; | |
| 4322 | 5 | secp256k1_ge pt[32]; | |
| 4323 | 5 | secp256k1_gej r; | |
| 4324 | 5 | secp256k1_gej r2; | |
| 4325 | 5 | ecmult_multi_data data; | |
| 4326 | |||
| 4327 | 5 | data.sc = sc; | |
| 4328 | 5 | data.pt = pt; | |
| 4329 | 5 | secp256k1_scalar_set_int(&szero, 0); | |
| 4330 | |||
| 4331 | /* No points to multiply */ | ||
| 4332 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
|
5 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0)); |
| 4333 | |||
| 4334 | /* Check 1- and 2-point multiplies against ecmult */ | ||
| 4335 |
2/2✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
|
325 | for (ncount = 0; ncount < count; ncount++) { |
| 4336 | 320 | secp256k1_ge ptg; | |
| 4337 | 320 | secp256k1_gej ptgj; | |
| 4338 | 320 | random_scalar_order(&sc[0]); | |
| 4339 | 320 | random_scalar_order(&sc[1]); | |
| 4340 | |||
| 4341 | 320 | random_group_element_test(&ptg); | |
| 4342 | 320 | secp256k1_gej_set_ge(&ptgj, &ptg); | |
| 4343 | 320 | pt[0] = ptg; | |
| 4344 | 320 | pt[1] = secp256k1_ge_const_g; | |
| 4345 | |||
| 4346 | /* only G scalar */ | ||
| 4347 | 320 | secp256k1_ecmult(&r2, &ptgj, &szero, &sc[0]); | |
| 4348 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0)); |
| 4349 | 320 | secp256k1_gej_neg(&r2, &r2); | |
| 4350 | 320 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4351 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
|
320 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4352 | |||
| 4353 | /* 1-point */ | ||
| 4354 | 320 | secp256k1_ecmult(&r2, &ptgj, &sc[0], &szero); | |
| 4355 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 1)); |
| 4356 | 320 | secp256k1_gej_neg(&r2, &r2); | |
| 4357 | 320 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4358 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
|
320 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4359 | |||
| 4360 | /* Try to multiply 1 point, but callback returns false */ | ||
| 4361 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(!ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1)); |
| 4362 | |||
| 4363 | /* 2-point */ | ||
| 4364 | 320 | secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]); | |
| 4365 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 2)); |
| 4366 | 320 | secp256k1_gej_neg(&r2, &r2); | |
| 4367 | 320 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4368 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
|
320 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4369 | |||
| 4370 | /* 2-point with G scalar */ | ||
| 4371 | 320 | secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]); | |
| 4372 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1)); |
| 4373 | 320 | secp256k1_gej_neg(&r2, &r2); | |
| 4374 | 320 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4375 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
|
320 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4376 | } | ||
| 4377 | |||
| 4378 | /* Check infinite outputs of various forms */ | ||
| 4379 |
2/2✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
|
325 | for (ncount = 0; ncount < count; ncount++) { |
| 4380 | 320 | secp256k1_ge ptg; | |
| 4381 | 320 | size_t i, j; | |
| 4382 | 320 | size_t sizes[] = { 2, 10, 32 }; | |
| 4383 | |||
| 4384 |
2/2✓ Branch 0 taken 960 times.
✓ Branch 1 taken 320 times.
|
1280 | for (j = 0; j < 3; j++) { |
| 4385 |
2/2✓ Branch 0 taken 30720 times.
✓ Branch 1 taken 960 times.
|
31680 | for (i = 0; i < 32; i++) { |
| 4386 | 30720 | random_scalar_order(&sc[i]); | |
| 4387 | 30720 | secp256k1_ge_set_infinity(&pt[i]); | |
| 4388 | } | ||
| 4389 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
|
960 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); |
| 4390 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
|
960 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4391 | } | ||
| 4392 | |||
| 4393 |
2/2✓ Branch 0 taken 960 times.
✓ Branch 1 taken 320 times.
|
1280 | for (j = 0; j < 3; j++) { |
| 4394 |
2/2✓ Branch 0 taken 30720 times.
✓ Branch 1 taken 960 times.
|
31680 | for (i = 0; i < 32; i++) { |
| 4395 | 30720 | random_group_element_test(&ptg); | |
| 4396 | 30720 | pt[i] = ptg; | |
| 4397 | 30720 | secp256k1_scalar_set_int(&sc[i], 0); | |
| 4398 | } | ||
| 4399 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
|
960 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); |
| 4400 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
|
960 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4401 | } | ||
| 4402 | |||
| 4403 |
2/2✓ Branch 0 taken 960 times.
✓ Branch 1 taken 320 times.
|
1280 | for (j = 0; j < 3; j++) { |
| 4404 | 960 | random_group_element_test(&ptg); | |
| 4405 |
2/2✓ Branch 1 taken 15360 times.
✓ Branch 2 taken 960 times.
|
17280 | for (i = 0; i < 16; i++) { |
| 4406 | 15360 | random_scalar_order(&sc[2*i]); | |
| 4407 | 15360 | secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]); | |
| 4408 | 15360 | pt[2 * i] = ptg; | |
| 4409 | 15360 | pt[2 * i + 1] = ptg; | |
| 4410 | } | ||
| 4411 | |||
| 4412 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
|
960 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); |
| 4413 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
|
960 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4414 | |||
| 4415 | 960 | random_scalar_order(&sc[0]); | |
| 4416 |
2/2✓ Branch 1 taken 15360 times.
✓ Branch 2 taken 960 times.
|
17280 | for (i = 0; i < 16; i++) { |
| 4417 | 15360 | random_group_element_test(&ptg); | |
| 4418 | |||
| 4419 | 15360 | sc[2*i] = sc[0]; | |
| 4420 | 15360 | sc[2*i+1] = sc[0]; | |
| 4421 | 15360 | pt[2 * i] = ptg; | |
| 4422 | 15360 | secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]); | |
| 4423 | } | ||
| 4424 | |||
| 4425 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
|
960 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); |
| 4426 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
|
960 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4427 | } | ||
| 4428 | |||
| 4429 | 320 | random_group_element_test(&ptg); | |
| 4430 | 320 | secp256k1_scalar_set_int(&sc[0], 0); | |
| 4431 | 320 | pt[0] = ptg; | |
| 4432 |
2/2✓ Branch 0 taken 9920 times.
✓ Branch 1 taken 320 times.
|
10240 | for (i = 1; i < 32; i++) { |
| 4433 | 9920 | pt[i] = ptg; | |
| 4434 | |||
| 4435 | 9920 | random_scalar_order(&sc[i]); | |
| 4436 | 9920 | secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]); | |
| 4437 | 9920 | secp256k1_scalar_negate(&sc[i], &sc[i]); | |
| 4438 | } | ||
| 4439 | |||
| 4440 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 32)); |
| 4441 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
|
320 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4442 | } | ||
| 4443 | |||
| 4444 | /* Check random points, constant scalar */ | ||
| 4445 |
2/2✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
|
325 | for (ncount = 0; ncount < count; ncount++) { |
| 4446 | 320 | size_t i; | |
| 4447 | 320 | secp256k1_gej_set_infinity(&r); | |
| 4448 | |||
| 4449 | 320 | random_scalar_order(&sc[0]); | |
| 4450 |
2/2✓ Branch 1 taken 6400 times.
✓ Branch 2 taken 320 times.
|
7040 | for (i = 0; i < 20; i++) { |
| 4451 | 6400 | secp256k1_ge ptg; | |
| 4452 | 6400 | sc[i] = sc[0]; | |
| 4453 | 6400 | random_group_element_test(&ptg); | |
| 4454 | 6400 | pt[i] = ptg; | |
| 4455 | 6400 | secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL); | |
| 4456 | } | ||
| 4457 | |||
| 4458 | 320 | secp256k1_ecmult(&r2, &r, &sc[0], &szero); | |
| 4459 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); |
| 4460 | 320 | secp256k1_gej_neg(&r2, &r2); | |
| 4461 | 320 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4462 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
|
320 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4463 | } | ||
| 4464 | |||
| 4465 | /* Check random scalars, constant point */ | ||
| 4466 |
2/2✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
|
325 | for (ncount = 0; ncount < count; ncount++) { |
| 4467 | 320 | size_t i; | |
| 4468 | 320 | secp256k1_ge ptg; | |
| 4469 | 320 | secp256k1_gej p0j; | |
| 4470 | 320 | secp256k1_scalar rs; | |
| 4471 | 320 | secp256k1_scalar_set_int(&rs, 0); | |
| 4472 | |||
| 4473 | 320 | random_group_element_test(&ptg); | |
| 4474 |
2/2✓ Branch 1 taken 6400 times.
✓ Branch 2 taken 320 times.
|
7040 | for (i = 0; i < 20; i++) { |
| 4475 | 6400 | random_scalar_order(&sc[i]); | |
| 4476 | 6400 | pt[i] = ptg; | |
| 4477 | 6400 | secp256k1_scalar_add(&rs, &rs, &sc[i]); | |
| 4478 | } | ||
| 4479 | |||
| 4480 | 320 | secp256k1_gej_set_ge(&p0j, &pt[0]); | |
| 4481 | 320 | secp256k1_ecmult(&r2, &p0j, &rs, &szero); | |
| 4482 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
|
320 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); |
| 4483 | 320 | secp256k1_gej_neg(&r2, &r2); | |
| 4484 | 320 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4485 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
|
320 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4486 | } | ||
| 4487 | |||
| 4488 | /* Sanity check that zero scalars don't cause problems */ | ||
| 4489 |
2/2✓ Branch 0 taken 100 times.
✓ Branch 1 taken 5 times.
|
105 | for (ncount = 0; ncount < 20; ncount++) { |
| 4490 | 100 | random_scalar_order(&sc[ncount]); | |
| 4491 | 100 | random_group_element_test(&pt[ncount]); | |
| 4492 | } | ||
| 4493 | |||
| 4494 | 5 | secp256k1_scalar_clear(&sc[0]); | |
| 4495 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
|
5 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); |
| 4496 | 5 | secp256k1_scalar_clear(&sc[1]); | |
| 4497 | 5 | secp256k1_scalar_clear(&sc[2]); | |
| 4498 | 5 | secp256k1_scalar_clear(&sc[3]); | |
| 4499 | 5 | secp256k1_scalar_clear(&sc[4]); | |
| 4500 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
|
5 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 6)); |
| 4501 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
|
5 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 5)); |
| 4502 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 5 times.
|
5 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4503 | |||
| 4504 | /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */ | ||
| 4505 | { | ||
| 4506 | 5 | const size_t TOP = 8; | |
| 4507 | 5 | size_t s0i, s1i; | |
| 4508 | 5 | size_t t0i, t1i; | |
| 4509 | 5 | secp256k1_ge ptg; | |
| 4510 | 5 | secp256k1_gej ptgj; | |
| 4511 | |||
| 4512 | 5 | random_group_element_test(&ptg); | |
| 4513 | 5 | secp256k1_gej_set_ge(&ptgj, &ptg); | |
| 4514 | |||
| 4515 |
2/2✓ Branch 1 taken 40 times.
✓ Branch 2 taken 5 times.
|
50 | for(t0i = 0; t0i < TOP; t0i++) { |
| 4516 |
2/2✓ Branch 0 taken 320 times.
✓ Branch 1 taken 40 times.
|
360 | for(t1i = 0; t1i < TOP; t1i++) { |
| 4517 | 320 | secp256k1_gej t0p, t1p; | |
| 4518 | 320 | secp256k1_scalar t0, t1; | |
| 4519 | |||
| 4520 | 320 | secp256k1_scalar_set_int(&t0, (t0i + 1) / 2); | |
| 4521 | 320 | secp256k1_scalar_cond_negate(&t0, t0i & 1); | |
| 4522 | 320 | secp256k1_scalar_set_int(&t1, (t1i + 1) / 2); | |
| 4523 | 320 | secp256k1_scalar_cond_negate(&t1, t1i & 1); | |
| 4524 | |||
| 4525 | 320 | secp256k1_ecmult(&t0p, &ptgj, &t0, &szero); | |
| 4526 | 320 | secp256k1_ecmult(&t1p, &ptgj, &t1, &szero); | |
| 4527 | |||
| 4528 |
2/2✓ Branch 1 taken 2560 times.
✓ Branch 2 taken 320 times.
|
3200 | for(s0i = 0; s0i < TOP; s0i++) { |
| 4529 |
2/2✓ Branch 0 taken 20480 times.
✓ Branch 1 taken 2560 times.
|
23040 | for(s1i = 0; s1i < TOP; s1i++) { |
| 4530 | 20480 | secp256k1_scalar tmp1, tmp2; | |
| 4531 | 20480 | secp256k1_gej expected, actual; | |
| 4532 | |||
| 4533 | 20480 | secp256k1_ge_set_gej(&pt[0], &t0p); | |
| 4534 | 20480 | secp256k1_ge_set_gej(&pt[1], &t1p); | |
| 4535 | |||
| 4536 | 20480 | secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2); | |
| 4537 | 20480 | secp256k1_scalar_cond_negate(&sc[0], s0i & 1); | |
| 4538 | 20480 | secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2); | |
| 4539 | 20480 | secp256k1_scalar_cond_negate(&sc[1], s1i & 1); | |
| 4540 | |||
| 4541 | 20480 | secp256k1_scalar_mul(&tmp1, &t0, &sc[0]); | |
| 4542 | 20480 | secp256k1_scalar_mul(&tmp2, &t1, &sc[1]); | |
| 4543 | 20480 | secp256k1_scalar_add(&tmp1, &tmp1, &tmp2); | |
| 4544 | |||
| 4545 | 20480 | secp256k1_ecmult(&expected, &ptgj, &tmp1, &szero); | |
| 4546 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 20480 times.
|
20480 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &actual, &szero, ecmult_multi_callback, &data, 2)); |
| 4547 | 20480 | secp256k1_gej_neg(&expected, &expected); | |
| 4548 | 20480 | secp256k1_gej_add_var(&actual, &actual, &expected, NULL); | |
| 4549 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 20480 times.
|
20480 | CHECK(secp256k1_gej_is_infinity(&actual)); |
| 4550 | } | ||
| 4551 | } | ||
| 4552 | } | ||
| 4553 | } | ||
| 4554 | } | ||
| 4555 | 5 | } | |
| 4556 | |||
| 4557 | 1442 | int test_ecmult_multi_random(secp256k1_scratch *scratch) { | |
| 4558 | /* Large random test for ecmult_multi_* functions which exercises: | ||
| 4559 | * - Few or many inputs (0 up to 128, roughly exponentially distributed). | ||
| 4560 | * - Few or many 0*P or a*INF inputs (roughly uniformly distributed). | ||
| 4561 | * - Including or excluding an nonzero a*G term (or such a term at all). | ||
| 4562 | * - Final expected result equal to infinity or not (roughly 50%). | ||
| 4563 | * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch | ||
| 4564 | */ | ||
| 4565 | |||
| 4566 | /* These 4 variables define the eventual input to the ecmult_multi function. | ||
| 4567 | * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and | ||
| 4568 | * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points | ||
| 4569 | * which form its normal inputs. */ | ||
| 4570 | 1442 | int filled = 0; | |
| 4571 | 1442 | secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 4572 | 1442 | secp256k1_scalar scalars[128]; | |
| 4573 | 1442 | secp256k1_gej gejs[128]; | |
| 4574 | /* The expected result, and the computed result. */ | ||
| 4575 | 1442 | secp256k1_gej expected, computed; | |
| 4576 | /* Temporaries. */ | ||
| 4577 | 1442 | secp256k1_scalar sc_tmp; | |
| 4578 | 1442 | secp256k1_ge ge_tmp; | |
| 4579 | /* Variables needed for the actual input to ecmult_multi. */ | ||
| 4580 | 1442 | secp256k1_ge ges[128]; | |
| 4581 | 1442 | ecmult_multi_data data; | |
| 4582 | |||
| 4583 | 1442 | int i; | |
| 4584 | /* Which multiplication function to use */ | ||
| 4585 | 1442 | int fn = secp256k1_testrand_int(3); | |
| 4586 |
2/2✓ Branch 0 taken 985 times.
✓ Branch 1 taken 457 times.
|
1442 | secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var : |
| 4587 |
2/2✓ Branch 0 taken 509 times.
✓ Branch 1 taken 476 times.
|
985 | fn == 1 ? secp256k1_ecmult_strauss_batch_single : |
| 4588 | secp256k1_ecmult_pippenger_batch_single; | ||
| 4589 | /* Simulate exponentially distributed num. */ | ||
| 4590 | 1442 | int num_bits = 2 + secp256k1_testrand_int(6); | |
| 4591 | /* Number of (scalar, point) inputs (excluding g). */ | ||
| 4592 | 1442 | int num = secp256k1_testrand_int((1 << num_bits) + 1); | |
| 4593 | /* Number of those which are nonzero. */ | ||
| 4594 | 1442 | int num_nonzero = secp256k1_testrand_int(num + 1); | |
| 4595 | /* Whether we're aiming to create an input with nonzero expected result. */ | ||
| 4596 | 1442 | int nonzero_result = secp256k1_testrand_bits(1); | |
| 4597 | /* Whether we will provide nonzero g multiplicand. In some cases our hand | ||
| 4598 | * is forced here based on num_nonzero and nonzero_result. */ | ||
| 4599 |
2/2✓ Branch 0 taken 1150 times.
✓ Branch 1 taken 292 times.
|
1442 | int g_nonzero = num_nonzero == 0 ? nonzero_result : |
| 4600 |
2/2✓ Branch 0 taken 1052 times.
✓ Branch 1 taken 98 times.
|
2202 | num_nonzero == 1 && !nonzero_result ? 1 : |
| 4601 | 1052 | (int)secp256k1_testrand_bits(1); | |
| 4602 | /* Which g_scalar pointer to pass into ecmult_multi(). */ | ||
| 4603 |
4/4✓ Branch 0 taken 678 times.
✓ Branch 1 taken 666 times.
✓ Branch 3 taken 364 times.
✓ Branch 4 taken 314 times.
|
1344 | const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL; |
| 4604 | /* How many EC multiplications were performed in this function. */ | ||
| 4605 | 1442 | int mults = 0; | |
| 4606 | /* How many randomization steps to apply to the input list. */ | ||
| 4607 | 1442 | int rands = (int)secp256k1_testrand_bits(3); | |
| 4608 | 1442 | if (rands > num_nonzero) rands = num_nonzero; | |
| 4609 | |||
| 4610 | 1442 | secp256k1_gej_set_infinity(&expected); | |
| 4611 | 1442 | secp256k1_gej_set_infinity(&gejs[0]); | |
| 4612 |
2/2✓ Branch 0 taken 678 times.
✓ Branch 1 taken 764 times.
|
1442 | secp256k1_scalar_set_int(&scalars[0], 0); |
| 4613 | |||
| 4614 |
2/2✓ Branch 0 taken 678 times.
✓ Branch 1 taken 764 times.
|
1442 | if (g_nonzero) { |
| 4615 | /* If g_nonzero, set g_scalar to nonzero value r. */ | ||
| 4616 | 764 | random_scalar_order_test(&g_scalar); | |
| 4617 |
2/2✓ Branch 0 taken 428 times.
✓ Branch 1 taken 336 times.
|
764 | if (!nonzero_result) { |
| 4618 | /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */ | ||
| 4619 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 336 times.
|
336 | CHECK(num_nonzero > filled); |
| 4620 | 336 | random_scalar_order_test(&sc_tmp); | |
| 4621 | 336 | secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar); | |
| 4622 | 336 | secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp); | |
| 4623 | 336 | secp256k1_scalar_negate(&sc_tmp, &sc_tmp); | |
| 4624 | 336 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &gejs[filled], &sc_tmp); | |
| 4625 | 336 | ++filled; | |
| 4626 | 336 | ++mults; | |
| 4627 | } | ||
| 4628 | } | ||
| 4629 | |||
| 4630 |
2/2✓ Branch 0 taken 574 times.
✓ Branch 1 taken 868 times.
|
1442 | if (nonzero_result && filled < num_nonzero) { |
| 4631 | /* If a nonzero result is desired, and there is space, add a random nonzero term. */ | ||
| 4632 | 574 | random_scalar_order_test(&scalars[filled]); | |
| 4633 | 574 | random_group_element_test(&ge_tmp); | |
| 4634 | 574 | secp256k1_gej_set_ge(&gejs[filled], &ge_tmp); | |
| 4635 | 574 | ++filled; | |
| 4636 | } | ||
| 4637 | |||
| 4638 |
2/2✓ Branch 0 taken 724 times.
✓ Branch 1 taken 718 times.
|
1442 | if (nonzero_result) { |
| 4639 | /* Compute the expected result using normal ecmult. */ | ||
| 4640 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 724 times.
|
724 | CHECK(filled <= 1); |
| 4641 | 724 | secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar); | |
| 4642 | 724 | mults += filled + g_nonzero; | |
| 4643 | } | ||
| 4644 | |||
| 4645 | /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */ | ||
| 4646 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1442 times.
|
1442 | CHECK(filled <= 1 + !nonzero_result); |
| 4647 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1442 times.
|
1442 | CHECK(filled <= num_nonzero); |
| 4648 | |||
| 4649 | /* Add entries to scalars,gejs so that there are num of them. All the added entries | ||
| 4650 | * either have scalar=0 or point=infinity, so these do not change the expected result. */ | ||
| 4651 |
2/2✓ Branch 0 taken 29550 times.
✓ Branch 1 taken 1442 times.
|
30992 | while (filled < num) { |
| 4652 |
2/2✓ Branch 1 taken 14863 times.
✓ Branch 2 taken 14687 times.
|
29550 | if (secp256k1_testrand_bits(1)) { |
| 4653 | 14863 | secp256k1_gej_set_infinity(&gejs[filled]); | |
| 4654 | 14863 | random_scalar_order_test(&scalars[filled]); | |
| 4655 | } else { | ||
| 4656 | 14687 | secp256k1_scalar_set_int(&scalars[filled], 0); | |
| 4657 | 14687 | random_group_element_test(&ge_tmp); | |
| 4658 | 14687 | secp256k1_gej_set_ge(&gejs[filled], &ge_tmp); | |
| 4659 | } | ||
| 4660 | 29550 | ++filled; | |
| 4661 | } | ||
| 4662 | |||
| 4663 | /* Now perform cheapish transformations on gejs and scalars, for indices | ||
| 4664 | * 0..num_nonzero-1, which do not change the expected result, but may | ||
| 4665 | * convert some of them to be both non-0-scalar and non-infinity-point. */ | ||
| 4666 |
2/2✓ Branch 0 taken 3079 times.
✓ Branch 1 taken 1442 times.
|
4521 | for (i = 0; i < rands; ++i) { |
| 4667 | int j; | ||
| 4668 | secp256k1_scalar v, iv; | ||
| 4669 | /* Shuffle the entries. */ | ||
| 4670 |
2/2✓ Branch 0 taken 49979 times.
✓ Branch 1 taken 3079 times.
|
53058 | for (j = 0; j < num_nonzero; ++j) { |
| 4671 | 49979 | int k = secp256k1_testrand_int(num_nonzero - j); | |
| 4672 |
2/2✓ Branch 0 taken 41213 times.
✓ Branch 1 taken 8766 times.
|
49979 | if (k != 0) { |
| 4673 | 41213 | secp256k1_gej gej = gejs[j]; | |
| 4674 | 41213 | secp256k1_scalar sc = scalars[j]; | |
| 4675 | 41213 | gejs[j] = gejs[j + k]; | |
| 4676 | 41213 | scalars[j] = scalars[j + k]; | |
| 4677 | 41213 | gejs[j + k] = gej; | |
| 4678 | 41213 | scalars[j + k] = sc; | |
| 4679 | } | ||
| 4680 | } | ||
| 4681 | /* Perturb all consecutive pairs of inputs: | ||
| 4682 | * a*P + b*Q -> (a+b)*P + b*(Q-P). */ | ||
| 4683 |
2/2✓ Branch 0 taken 24202 times.
✓ Branch 1 taken 3079 times.
|
27281 | for (j = 0; j + 1 < num_nonzero; j += 2) { |
| 4684 | 24202 | secp256k1_gej gej; | |
| 4685 | 24202 | secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]); | |
| 4686 | 24202 | secp256k1_gej_neg(&gej, &gejs[j]); | |
| 4687 | 24202 | secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL); | |
| 4688 | } | ||
| 4689 | /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */ | ||
| 4690 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 3079 times.
|
3079 | CHECK(num_nonzero >= 1); |
| 4691 | 3079 | random_scalar_order_test(&v); | |
| 4692 | 3079 | secp256k1_scalar_inverse(&iv, &v); | |
| 4693 | 3079 | secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v); | |
| 4694 | 3079 | secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL); | |
| 4695 | 3079 | ++mults; | |
| 4696 | } | ||
| 4697 | |||
| 4698 | /* Shuffle all entries (0..num-1). */ | ||
| 4699 |
2/2✓ Branch 0 taken 30460 times.
✓ Branch 1 taken 1442 times.
|
31902 | for (i = 0; i < num; ++i) { |
| 4700 | 30460 | int j = secp256k1_testrand_int(num - i); | |
| 4701 |
2/2✓ Branch 0 taken 26444 times.
✓ Branch 1 taken 4016 times.
|
30460 | if (j != 0) { |
| 4702 | 26444 | secp256k1_gej gej = gejs[i]; | |
| 4703 | 26444 | secp256k1_scalar sc = scalars[i]; | |
| 4704 | 26444 | gejs[i] = gejs[i + j]; | |
| 4705 | 26444 | scalars[i] = scalars[i + j]; | |
| 4706 | 26444 | gejs[i + j] = gej; | |
| 4707 | 26444 | scalars[i + j] = sc; | |
| 4708 | } | ||
| 4709 | } | ||
| 4710 | |||
| 4711 | /* Compute affine versions of all inputs. */ | ||
| 4712 | 1442 | secp256k1_ge_set_all_gej_var(ges, gejs, filled); | |
| 4713 | /* Invoke ecmult_multi code. */ | ||
| 4714 | 1442 | data.sc = scalars; | |
| 4715 | 1442 | data.pt = ges; | |
| 4716 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1442 times.
|
1442 | CHECK(ecmult_multi(&ctx->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled)); |
| 4717 | 1442 | mults += num_nonzero + g_nonzero; | |
| 4718 | /* Compare with expected result. */ | ||
| 4719 | 1442 | secp256k1_gej_neg(&computed, &computed); | |
| 4720 | 1442 | secp256k1_gej_add_var(&computed, &computed, &expected, NULL); | |
| 4721 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1442 times.
|
1442 | CHECK(secp256k1_gej_is_infinity(&computed)); |
| 4722 | 1442 | return mults; | |
| 4723 | } | ||
| 4724 | |||
| 4725 | 2 | void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) { | |
| 4726 | 2 | secp256k1_scalar szero; | |
| 4727 | 2 | secp256k1_scalar sc; | |
| 4728 | 2 | secp256k1_ge pt; | |
| 4729 | 2 | secp256k1_gej r; | |
| 4730 | 2 | ecmult_multi_data data; | |
| 4731 | 2 | secp256k1_scratch *scratch_empty; | |
| 4732 | |||
| 4733 | 2 | random_group_element_test(&pt); | |
| 4734 | 2 | random_scalar_order(&sc); | |
| 4735 | 2 | data.sc = ≻ | |
| 4736 | 2 | data.pt = &pt; | |
| 4737 | 2 | secp256k1_scalar_set_int(&szero, 0); | |
| 4738 | |||
| 4739 | /* Try to multiply 1 point, but scratch space is empty.*/ | ||
| 4740 | 2 | scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0); | |
| 4741 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(!ecmult_multi(&ctx->error_callback, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1)); |
| 4742 | 2 | secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty); | |
| 4743 | 2 | } | |
| 4744 | |||
| 4745 | 1 | void test_secp256k1_pippenger_bucket_window_inv(void) { | |
| 4746 | 1 | int i; | |
| 4747 | |||
| 4748 | 1 | CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0); | |
| 4749 |
2/2✓ Branch 0 taken 12 times.
✓ Branch 1 taken 1 times.
|
13 | for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) { |
| 4750 | /* Bucket_window of 8 is not used with endo */ | ||
| 4751 |
2/2✓ Branch 0 taken 1 times.
✓ Branch 1 taken 11 times.
|
12 | if (i == 8) { |
| 4752 | 1 | continue; | |
| 4753 | } | ||
| 4754 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 11 times.
|
11 | CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i); |
| 4755 |
2/2✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1 times.
|
11 | if (i != PIPPENGER_MAX_BUCKET_WINDOW) { |
| 4756 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
12 | CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i); |
| 4757 | } | ||
| 4758 | } | ||
| 4759 | 1 | } | |
| 4760 | |||
| 4761 | /** | ||
| 4762 | * Probabilistically test the function returning the maximum number of possible points | ||
| 4763 | * for a given scratch space. | ||
| 4764 | */ | ||
| 4765 | 1 | void test_ecmult_multi_pippenger_max_points(void) { | |
| 4766 | 1 | size_t scratch_size = secp256k1_testrand_bits(8); | |
| 4767 | 1 | size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); | |
| 4768 | secp256k1_scratch *scratch; | ||
| 4769 | size_t n_points_supported; | ||
| 4770 | int bucket_window = 0; | ||
| 4771 | |||
| 4772 |
2/2✓ Branch 0 taken 25340 times.
✓ Branch 1 taken 1 times.
|
25341 | for(; scratch_size < max_size; scratch_size+=256) { |
| 4773 | 25340 | size_t i; | |
| 4774 | 25340 | size_t total_alloc; | |
| 4775 | 25340 | size_t checkpoint; | |
| 4776 | 25340 | scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size); | |
| 4777 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 25340 times.
|
25340 | CHECK(scratch != NULL); |
| 4778 | 25340 | checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch); | |
| 4779 | 25340 | n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch); | |
| 4780 |
2/2✓ Branch 0 taken 8 times.
✓ Branch 1 taken 25332 times.
|
25340 | if (n_points_supported == 0) { |
| 4781 | 8 | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | |
| 4782 | 8 | continue; | |
| 4783 | } | ||
| 4784 | 25332 | bucket_window = secp256k1_pippenger_bucket_window(n_points_supported); | |
| 4785 | /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */ | ||
| 4786 | 25332 | total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window); | |
| 4787 |
2/2✓ Branch 0 taken 126660 times.
✓ Branch 1 taken 25332 times.
|
151992 | for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) { |
| 4788 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 126660 times.
|
126660 | CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1)); |
| 4789 | 126660 | total_alloc--; | |
| 4790 | } | ||
| 4791 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 25332 times.
|
25332 | CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc)); |
| 4792 | 25332 | secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint); | |
| 4793 | 25332 | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | |
| 4794 | } | ||
| 4795 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW); |
| 4796 | 1 | } | |
| 4797 | |||
| 4798 | ✗ | void test_ecmult_multi_batch_size_helper(void) { | |
| 4799 | ✗ | size_t n_batches, n_batch_points, max_n_batch_points, n; | |
| 4800 | |||
| 4801 | ✗ | max_n_batch_points = 0; | |
| 4802 | ✗ | n = 1; | |
| 4803 | ✗ | CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); | |
| 4804 | |||
| 4805 | ✗ | max_n_batch_points = 1; | |
| 4806 | ✗ | n = 0; | |
| 4807 | ✗ | CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); | |
| 4808 | ✗ | CHECK(n_batches == 0); | |
| 4809 | ✗ | CHECK(n_batch_points == 0); | |
| 4810 | |||
| 4811 | ✗ | max_n_batch_points = 2; | |
| 4812 | ✗ | n = 5; | |
| 4813 | ✗ | CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); | |
| 4814 | ✗ | CHECK(n_batches == 3); | |
| 4815 | ✗ | CHECK(n_batch_points == 2); | |
| 4816 | |||
| 4817 | ✗ | max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH; | |
| 4818 | ✗ | n = ECMULT_MAX_POINTS_PER_BATCH; | |
| 4819 | ✗ | CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); | |
| 4820 | ✗ | CHECK(n_batches == 1); | |
| 4821 | ✗ | CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH); | |
| 4822 | |||
| 4823 | ✗ | max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1; | |
| 4824 | ✗ | n = ECMULT_MAX_POINTS_PER_BATCH + 1; | |
| 4825 | ✗ | CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); | |
| 4826 | ✗ | CHECK(n_batches == 2); | |
| 4827 | ✗ | CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1); | |
| 4828 | |||
| 4829 | ✗ | max_n_batch_points = 1; | |
| 4830 | ✗ | n = SIZE_MAX; | |
| 4831 | ✗ | CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); | |
| 4832 | ✗ | CHECK(n_batches == SIZE_MAX); | |
| 4833 | ✗ | CHECK(n_batch_points == 1); | |
| 4834 | |||
| 4835 | 1 | max_n_batch_points = 2; | |
| 4836 | 1 | n = SIZE_MAX; | |
| 4837 | ✗ | CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); | |
| 4838 | ✗ | CHECK(n_batches == SIZE_MAX/2 + 1); | |
| 4839 | ✗ | CHECK(n_batch_points == 2); | |
| 4840 | } | ||
| 4841 | |||
| 4842 | /** | ||
| 4843 | * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to | ||
| 4844 | * 1 <= i <= num points. | ||
| 4845 | */ | ||
| 4846 | 1 | void test_ecmult_multi_batching(void) { | |
| 4847 | 1 | static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD; | |
| 4848 | 1 | secp256k1_scalar scG; | |
| 4849 | 1 | secp256k1_scalar szero; | |
| 4850 | 1 | secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points); | |
| 4851 | 1 | secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points); | |
| 4852 | 1 | secp256k1_gej r; | |
| 4853 | 1 | secp256k1_gej r2; | |
| 4854 | 1 | ecmult_multi_data data; | |
| 4855 | 1 | int i; | |
| 4856 | 1 | secp256k1_scratch *scratch; | |
| 4857 | |||
| 4858 | 1 | secp256k1_gej_set_infinity(&r2); | |
| 4859 | 1 | secp256k1_scalar_set_int(&szero, 0); | |
| 4860 | |||
| 4861 | /* Get random scalars and group elements and compute result */ | ||
| 4862 | 1 | random_scalar_order(&scG); | |
| 4863 | 1 | secp256k1_ecmult(&r2, &r2, &szero, &scG); | |
| 4864 |
2/2✓ Branch 1 taken 176 times.
✓ Branch 2 taken 1 times.
|
178 | for(i = 0; i < n_points; i++) { |
| 4865 | 176 | secp256k1_ge ptg; | |
| 4866 | 176 | secp256k1_gej ptgj; | |
| 4867 | 176 | random_group_element_test(&ptg); | |
| 4868 | 176 | secp256k1_gej_set_ge(&ptgj, &ptg); | |
| 4869 | 176 | pt[i] = ptg; | |
| 4870 | 176 | random_scalar_order(&sc[i]); | |
| 4871 | 176 | secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL); | |
| 4872 | 176 | secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL); | |
| 4873 | } | ||
| 4874 | 1 | data.sc = sc; | |
| 4875 | 1 | data.pt = pt; | |
| 4876 | 1 | secp256k1_gej_neg(&r2, &r2); | |
| 4877 | |||
| 4878 | /* Test with empty scratch space. It should compute the correct result using | ||
| 4879 | * ecmult_mult_simple algorithm which doesn't require a scratch space. */ | ||
| 4880 | 1 | scratch = secp256k1_scratch_create(&ctx->error_callback, 0); | |
| 4881 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); |
| 4882 | 1 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4883 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4884 | 1 | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | |
| 4885 | |||
| 4886 | /* Test with space for 1 point in pippenger. That's not enough because | ||
| 4887 | * ecmult_multi selects strauss which requires more memory. It should | ||
| 4888 | * therefore select the simple algorithm. */ | ||
| 4889 | 1 | scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); | |
| 4890 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); |
| 4891 | 1 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4892 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4893 | 1 | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | |
| 4894 | |||
| 4895 |
2/2✓ Branch 1 taken 176 times.
✓ Branch 2 taken 1 times.
|
178 | for(i = 1; i <= n_points; i++) { |
| 4896 |
2/2✓ Branch 0 taken 88 times.
✓ Branch 1 taken 88 times.
|
176 | if (i > ECMULT_PIPPENGER_THRESHOLD) { |
| 4897 | 88 | int bucket_window = secp256k1_pippenger_bucket_window(i); | |
| 4898 | 88 | size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window); | |
| 4899 | 88 | scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); | |
| 4900 | } else { | ||
| 4901 | 88 | size_t scratch_size = secp256k1_strauss_scratch_size(i); | |
| 4902 | 88 | scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); | |
| 4903 | } | ||
| 4904 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 176 times.
|
176 | CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); |
| 4905 | 176 | secp256k1_gej_add_var(&r, &r, &r2, NULL); | |
| 4906 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 176 times.
|
176 | CHECK(secp256k1_gej_is_infinity(&r)); |
| 4907 | 176 | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | |
| 4908 | } | ||
| 4909 | 1 | free(sc); | |
| 4910 | 1 | free(pt); | |
| 4911 | 1 | } | |
| 4912 | |||
| 4913 | 1 | void run_ecmult_multi_tests(void) { | |
| 4914 | 1 | secp256k1_scratch *scratch; | |
| 4915 | 1 | int64_t todo = (int64_t)320 * count; | |
| 4916 | |||
| 4917 | 1 | test_secp256k1_pippenger_bucket_window_inv(); | |
| 4918 | 1 | test_ecmult_multi_pippenger_max_points(); | |
| 4919 | 1 | scratch = secp256k1_scratch_create(&ctx->error_callback, 819200); | |
| 4920 | 1 | test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); | |
| 4921 | 1 | test_ecmult_multi(NULL, secp256k1_ecmult_multi_var); | |
| 4922 | 1 | test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single); | |
| 4923 | 1 | test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single); | |
| 4924 | 1 | test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single); | |
| 4925 | 1 | test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single); | |
| 4926 |
2/2✓ Branch 1 taken 1442 times.
✓ Branch 2 taken 1 times.
|
1443 | while (todo > 0) { |
| 4927 | 1442 | todo -= test_ecmult_multi_random(scratch); | |
| 4928 | } | ||
| 4929 | 1 | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | |
| 4930 | |||
| 4931 | /* Run test_ecmult_multi with space for exactly one point */ | ||
| 4932 | 1 | scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); | |
| 4933 | 1 | test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); | |
| 4934 | 1 | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | |
| 4935 | |||
| 4936 | 1 | test_ecmult_multi_batch_size_helper(); | |
| 4937 | 1 | test_ecmult_multi_batching(); | |
| 4938 | 1 | } | |
| 4939 | |||
| 4940 | 64 | void test_wnaf(const secp256k1_scalar *number, int w) { | |
| 4941 | 64 | secp256k1_scalar x, two, t; | |
| 4942 | 64 | int wnaf[256]; | |
| 4943 | 64 | int zeroes = -1; | |
| 4944 | 64 | int i; | |
| 4945 | 64 | int bits; | |
| 4946 | 64 | secp256k1_scalar_set_int(&x, 0); | |
| 4947 | 64 | secp256k1_scalar_set_int(&two, 2); | |
| 4948 | 64 | bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w); | |
| 4949 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
|
64 | CHECK(bits <= 256); |
| 4950 |
2/2✓ Branch 0 taken 16120 times.
✓ Branch 1 taken 64 times.
|
16184 | for (i = bits-1; i >= 0; i--) { |
| 4951 | 16120 | int v = wnaf[i]; | |
| 4952 | 16120 | secp256k1_scalar_mul(&x, &x, &two); | |
| 4953 |
2/2✓ Branch 0 taken 1976 times.
✓ Branch 1 taken 14144 times.
|
16120 | if (v) { |
| 4954 |
3/4✓ Branch 0 taken 1912 times.
✓ Branch 1 taken 64 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 1912 times.
|
1976 | CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ |
| 4955 | 1976 | zeroes=0; | |
| 4956 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1976 times.
|
1976 | CHECK((v & 1) == 1); /* check non-zero elements are odd */ |
| 4957 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1976 times.
|
1976 | CHECK(v <= (1 << (w-1)) - 1); /* check range below */ |
| 4958 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1976 times.
|
1976 | CHECK(v >= -(1 << (w-1)) - 1); /* check range above */ |
| 4959 | } else { | ||
| 4960 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 14144 times.
|
14144 | CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */ |
| 4961 | 14144 | zeroes++; | |
| 4962 | } | ||
| 4963 |
2/2✓ Branch 0 taken 15123 times.
✓ Branch 1 taken 997 times.
|
16120 | if (v >= 0) { |
| 4964 | 15123 | secp256k1_scalar_set_int(&t, v); | |
| 4965 | } else { | ||
| 4966 | 997 | secp256k1_scalar_set_int(&t, -v); | |
| 4967 | 997 | secp256k1_scalar_negate(&t, &t); | |
| 4968 | } | ||
| 4969 | 16120 | secp256k1_scalar_add(&x, &x, &t); | |
| 4970 | } | ||
| 4971 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
|
64 | CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */ |
| 4972 | 64 | } | |
| 4973 | |||
| 4974 | 64 | void test_constant_wnaf_negate(const secp256k1_scalar *number) { | |
| 4975 | 64 | secp256k1_scalar neg1 = *number; | |
| 4976 | 64 | secp256k1_scalar neg2 = *number; | |
| 4977 | 64 | int sign1 = 1; | |
| 4978 | 64 | int sign2 = 1; | |
| 4979 | |||
| 4980 |
2/2✓ Branch 0 taken 26 times.
✓ Branch 1 taken 38 times.
|
64 | if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) { |
| 4981 | 26 | secp256k1_scalar_negate(&neg1, &neg1); | |
| 4982 | 26 | sign1 = -1; | |
| 4983 | } | ||
| 4984 | 64 | sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2)); | |
| 4985 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
|
64 | CHECK(sign1 == sign2); |
| 4986 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
|
64 | CHECK(secp256k1_scalar_eq(&neg1, &neg2)); |
| 4987 | 64 | } | |
| 4988 | |||
| 4989 | 71 | void test_constant_wnaf(const secp256k1_scalar *number, int w) { | |
| 4990 | 71 | secp256k1_scalar x, shift; | |
| 4991 | 71 | int wnaf[256] = {0}; | |
| 4992 | 71 | int i; | |
| 4993 | 71 | int skew; | |
| 4994 | 71 | int bits = 256; | |
| 4995 | 71 | secp256k1_scalar num = *number; | |
| 4996 | 71 | secp256k1_scalar scalar_skew; | |
| 4997 | |||
| 4998 | 71 | secp256k1_scalar_set_int(&x, 0); | |
| 4999 | 71 | secp256k1_scalar_set_int(&shift, 1 << w); | |
| 5000 |
2/2✓ Branch 0 taken 1136 times.
✓ Branch 1 taken 71 times.
|
1207 | for (i = 0; i < 16; ++i) { |
| 5001 | 1136 | secp256k1_scalar_shr_int(&num, 8); | |
| 5002 | } | ||
| 5003 | 71 | bits = 128; | |
| 5004 | 71 | skew = secp256k1_wnaf_const(wnaf, &num, w, bits); | |
| 5005 | |||
| 5006 |
2/2✓ Branch 0 taken 1450 times.
✓ Branch 1 taken 71 times.
|
1521 | for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) { |
| 5007 | 1450 | secp256k1_scalar t; | |
| 5008 | 1450 | int v = wnaf[i]; | |
| 5009 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
|
1450 | CHECK(v != 0); /* check nonzero */ |
| 5010 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
|
1450 | CHECK(v & 1); /* check parity */ |
| 5011 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
|
1450 | CHECK(v > -(1 << w)); /* check range above */ |
| 5012 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
|
1450 | CHECK(v < (1 << w)); /* check range below */ |
| 5013 | |||
| 5014 | 1450 | secp256k1_scalar_mul(&x, &x, &shift); | |
| 5015 |
2/2✓ Branch 0 taken 770 times.
✓ Branch 1 taken 680 times.
|
1450 | if (v >= 0) { |
| 5016 | 770 | secp256k1_scalar_set_int(&t, v); | |
| 5017 | } else { | ||
| 5018 | 680 | secp256k1_scalar_set_int(&t, -v); | |
| 5019 | 680 | secp256k1_scalar_negate(&t, &t); | |
| 5020 | } | ||
| 5021 | 1450 | secp256k1_scalar_add(&x, &x, &t); | |
| 5022 | } | ||
| 5023 | /* Skew num because when encoding numbers as odd we use an offset */ | ||
| 5024 | 71 | secp256k1_scalar_set_int(&scalar_skew, skew); | |
| 5025 | 71 | secp256k1_scalar_add(&num, &num, &scalar_skew); | |
| 5026 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 71 times.
|
71 | CHECK(secp256k1_scalar_eq(&x, &num)); |
| 5027 | 71 | } | |
| 5028 | |||
| 5029 | 64 | void test_fixed_wnaf(const secp256k1_scalar *number, int w) { | |
| 5030 | 64 | secp256k1_scalar x, shift; | |
| 5031 | 64 | int wnaf[256] = {0}; | |
| 5032 | 64 | int i; | |
| 5033 | 64 | int skew; | |
| 5034 | 64 | secp256k1_scalar num = *number; | |
| 5035 | |||
| 5036 | 64 | secp256k1_scalar_set_int(&x, 0); | |
| 5037 | 64 | secp256k1_scalar_set_int(&shift, 1 << w); | |
| 5038 |
2/2✓ Branch 0 taken 1024 times.
✓ Branch 1 taken 64 times.
|
1088 | for (i = 0; i < 16; ++i) { |
| 5039 | 1024 | secp256k1_scalar_shr_int(&num, 8); | |
| 5040 | } | ||
| 5041 | 64 | skew = secp256k1_wnaf_fixed(wnaf, &num, w); | |
| 5042 | |||
| 5043 |
2/2✓ Branch 0 taken 1155 times.
✓ Branch 1 taken 64 times.
|
1219 | for (i = WNAF_SIZE(w)-1; i >= 0; --i) { |
| 5044 | 1155 | secp256k1_scalar t; | |
| 5045 | 1155 | int v = wnaf[i]; | |
| 5046 |
3/4✓ Branch 0 taken 1129 times.
✓ Branch 1 taken 26 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 1129 times.
|
1155 | CHECK(v == 0 || v & 1); /* check parity */ |
| 5047 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1155 times.
|
1155 | CHECK(v > -(1 << w)); /* check range above */ |
| 5048 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1155 times.
|
1155 | CHECK(v < (1 << w)); /* check range below */ |
| 5049 | |||
| 5050 | 1155 | secp256k1_scalar_mul(&x, &x, &shift); | |
| 5051 |
2/2✓ Branch 0 taken 656 times.
✓ Branch 1 taken 499 times.
|
1155 | if (v >= 0) { |
| 5052 | 656 | secp256k1_scalar_set_int(&t, v); | |
| 5053 | } else { | ||
| 5054 | 499 | secp256k1_scalar_set_int(&t, -v); | |
| 5055 | 499 | secp256k1_scalar_negate(&t, &t); | |
| 5056 | } | ||
| 5057 | 1155 | secp256k1_scalar_add(&x, &x, &t); | |
| 5058 | } | ||
| 5059 | /* If skew is 1 then add 1 to num */ | ||
| 5060 | 64 | secp256k1_scalar_cadd_bit(&num, 0, skew == 1); | |
| 5061 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
|
64 | CHECK(secp256k1_scalar_eq(&x, &num)); |
| 5062 | 64 | } | |
| 5063 | |||
| 5064 | /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the | ||
| 5065 | * rest is 0.*/ | ||
| 5066 | 4 | void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) { | |
| 5067 | 4 | int i; | |
| 5068 |
2/2✓ Branch 0 taken 96 times.
✓ Branch 1 taken 4 times.
|
100 | for (i = WNAF_SIZE(w)-1; i >= 8; --i) { |
| 5069 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 96 times.
|
96 | CHECK(wnaf[i] == 0); |
| 5070 | } | ||
| 5071 |
2/2✓ Branch 0 taken 32 times.
✓ Branch 1 taken 4 times.
|
36 | for (i = 7; i >= 0; --i) { |
| 5072 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(wnaf[i] == wnaf_expected[i]); |
| 5073 | } | ||
| 5074 | 4 | } | |
| 5075 | |||
| 5076 | 1 | void test_fixed_wnaf_small(void) { | |
| 5077 | 1 | int w = 4; | |
| 5078 | 1 | int wnaf[256] = {0}; | |
| 5079 | 1 | int i; | |
| 5080 | 1 | int skew; | |
| 5081 | 1 | secp256k1_scalar num; | |
| 5082 | |||
| 5083 | 1 | secp256k1_scalar_set_int(&num, 0); | |
| 5084 | 1 | skew = secp256k1_wnaf_fixed(wnaf, &num, w); | |
| 5085 |
2/2✓ Branch 1 taken 32 times.
✓ Branch 2 taken 1 times.
|
34 | for (i = WNAF_SIZE(w)-1; i >= 0; --i) { |
| 5086 | 32 | int v = wnaf[i]; | |
| 5087 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
|
32 | CHECK(v == 0); |
| 5088 | } | ||
| 5089 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(skew == 0); |
| 5090 | |||
| 5091 | 1 | secp256k1_scalar_set_int(&num, 1); | |
| 5092 | 1 | skew = secp256k1_wnaf_fixed(wnaf, &num, w); | |
| 5093 |
2/2✓ Branch 1 taken 31 times.
✓ Branch 2 taken 1 times.
|
33 | for (i = WNAF_SIZE(w)-1; i >= 1; --i) { |
| 5094 | 31 | int v = wnaf[i]; | |
| 5095 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
|
31 | CHECK(v == 0); |
| 5096 | } | ||
| 5097 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(wnaf[0] == 1); |
| 5098 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(skew == 0); |
| 5099 | |||
| 5100 | { | ||
| 5101 | 1 | int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf }; | |
| 5102 | 1 | secp256k1_scalar_set_int(&num, 0xffffffff); | |
| 5103 | 1 | skew = secp256k1_wnaf_fixed(wnaf, &num, w); | |
| 5104 | 1 | test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); | |
| 5105 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(skew == 0); |
| 5106 | } | ||
| 5107 | { | ||
| 5108 | 1 | int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf }; | |
| 5109 | 1 | secp256k1_scalar_set_int(&num, 0xeeeeeeee); | |
| 5110 | 1 | skew = secp256k1_wnaf_fixed(wnaf, &num, w); | |
| 5111 | 1 | test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); | |
| 5112 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(skew == 1); |
| 5113 | } | ||
| 5114 | { | ||
| 5115 | 1 | int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 }; | |
| 5116 | 1 | secp256k1_scalar_set_int(&num, 0x01010101); | |
| 5117 | 1 | skew = secp256k1_wnaf_fixed(wnaf, &num, w); | |
| 5118 | 1 | test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); | |
| 5119 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(skew == 0); |
| 5120 | } | ||
| 5121 | { | ||
| 5122 | 1 | int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 }; | |
| 5123 | 1 | secp256k1_scalar_set_int(&num, 0x01ef1ef1); | |
| 5124 | 1 | skew = secp256k1_wnaf_fixed(wnaf, &num, w); | |
| 5125 | 1 | test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); | |
| 5126 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(skew == 0); |
| 5127 | } | ||
| 5128 | 1 | } | |
| 5129 | |||
| 5130 | 1 | void run_wnaf(void) { | |
| 5131 | 1 | int i; | |
| 5132 | 1 | secp256k1_scalar n = {{0}}; | |
| 5133 | |||
| 5134 | 1 | test_constant_wnaf(&n, 4); | |
| 5135 | /* Sanity check: 1 and 2 are the smallest odd and even numbers and should | ||
| 5136 | * have easier-to-diagnose failure modes */ | ||
| 5137 | 1 | n.d[0] = 1; | |
| 5138 | 1 | test_constant_wnaf(&n, 4); | |
| 5139 | 1 | n.d[0] = 2; | |
| 5140 | 1 | test_constant_wnaf(&n, 4); | |
| 5141 | /* Test -1, because it's a special case in wnaf_const */ | ||
| 5142 | 1 | n = secp256k1_scalar_one; | |
| 5143 | 1 | secp256k1_scalar_negate(&n, &n); | |
| 5144 | 1 | test_constant_wnaf(&n, 4); | |
| 5145 | |||
| 5146 | /* Test -2, which may not lead to overflows in wnaf_const */ | ||
| 5147 | 1 | secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one); | |
| 5148 | 1 | secp256k1_scalar_negate(&n, &n); | |
| 5149 | 1 | test_constant_wnaf(&n, 4); | |
| 5150 | |||
| 5151 | /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1 | ||
| 5152 | as corner cases of negation handling in wnaf_const */ | ||
| 5153 | 1 | secp256k1_scalar_inverse(&n, &n); | |
| 5154 | 1 | test_constant_wnaf(&n, 4); | |
| 5155 | |||
| 5156 | 1 | secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one); | |
| 5157 | 1 | test_constant_wnaf(&n, 4); | |
| 5158 | |||
| 5159 | /* Test 0 for fixed wnaf */ | ||
| 5160 | 1 | test_fixed_wnaf_small(); | |
| 5161 | /* Random tests */ | ||
| 5162 |
2/2✓ Branch 1 taken 64 times.
✓ Branch 2 taken 1 times.
|
66 | for (i = 0; i < count; i++) { |
| 5163 | 64 | random_scalar_order(&n); | |
| 5164 | 64 | test_wnaf(&n, 4+(i%10)); | |
| 5165 | 64 | test_constant_wnaf_negate(&n); | |
| 5166 | 64 | test_constant_wnaf(&n, 4 + (i % 10)); | |
| 5167 | 64 | test_fixed_wnaf(&n, 4 + (i % 10)); | |
| 5168 | } | ||
| 5169 | 1 | secp256k1_scalar_set_int(&n, 0); | |
| 5170 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1); |
| 5171 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_is_zero(&n)); |
| 5172 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1); |
| 5173 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_is_zero(&n)); |
| 5174 | 1 | } | |
| 5175 | |||
| 5176 | 35920 | static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) { | |
| 5177 | 35920 | const secp256k1_scalar* indata = (const secp256k1_scalar*)data; | |
| 5178 | 35920 | *sc = *indata; | |
| 5179 | 35920 | *pt = secp256k1_ge_const_g; | |
| 5180 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 35920 times.
|
35920 | CHECK(idx == 0); |
| 5181 | 35920 | return 1; | |
| 5182 | } | ||
| 5183 | |||
| 5184 | 35920 | void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) { | |
| 5185 | /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */ | ||
| 5186 | 35920 | secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj; | |
| 5187 | 35920 | secp256k1_ge r; | |
| 5188 | 35920 | const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 5189 | 35920 | unsigned char bytes[65]; | |
| 5190 | 35920 | size_t size = 65; | |
| 5191 | 35920 | secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); | |
| 5192 | 35920 | secp256k1_gej_set_infinity(&infj); | |
| 5193 | 35920 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj1, x); | |
| 5194 | 35920 | secp256k1_ecmult(&rj2, &gj, x, &zero); | |
| 5195 | 35920 | secp256k1_ecmult(&rj3, &infj, &zero, x); | |
| 5196 | 35920 | secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0); | |
| 5197 | 35920 | secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1); | |
| 5198 | 35920 | secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x, 256); | |
| 5199 | 35920 | secp256k1_ge_set_gej_var(&r, &rj1); | |
| 5200 | 35920 | ge_equals_gej(&r, &rj2); | |
| 5201 | 35920 | ge_equals_gej(&r, &rj3); | |
| 5202 | 35920 | ge_equals_gej(&r, &rj4); | |
| 5203 | 35920 | ge_equals_gej(&r, &rj5); | |
| 5204 | 35920 | ge_equals_gej(&r, &rj6); | |
| 5205 |
2/2✓ Branch 0 taken 4 times.
✓ Branch 1 taken 35916 times.
|
35920 | if (secp256k1_ge_is_infinity(&r)) { |
| 5206 | /* Store infinity as 0x00 */ | ||
| 5207 | 4 | const unsigned char zerobyte[1] = {0}; | |
| 5208 | 4 | secp256k1_sha256_write(acc, zerobyte, 1); | |
| 5209 | } else { | ||
| 5210 | /* Store other points using their uncompressed serialization. */ | ||
| 5211 | 35916 | secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0); | |
| 5212 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 35916 times.
|
35916 | CHECK(size == 65); |
| 5213 | 35916 | secp256k1_sha256_write(acc, bytes, size); | |
| 5214 | } | ||
| 5215 | 35920 | } | |
| 5216 | |||
| 5217 | 1 | void test_ecmult_constants_2bit(void) { | |
| 5218 | /* Using test_ecmult_accumulate, test ecmult for: | ||
| 5219 | * - For i in 0..36: | ||
| 5220 | * - Key i | ||
| 5221 | * - Key -i | ||
| 5222 | * - For i in 0..255: | ||
| 5223 | * - For j in 1..255 (only odd values): | ||
| 5224 | * - Key (j*2^i) mod order | ||
| 5225 | */ | ||
| 5226 | 1 | secp256k1_scalar x; | |
| 5227 | 1 | secp256k1_sha256 acc; | |
| 5228 | 1 | unsigned char b32[32]; | |
| 5229 | 1 | int i, j; | |
| 5230 | 1 | secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536); | |
| 5231 | |||
| 5232 | /* Expected hash of all the computed points; created with an independent | ||
| 5233 | * implementation. */ | ||
| 5234 | 1 | static const unsigned char expected32[32] = { | |
| 5235 | 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48, | ||
| 5236 | 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14, | ||
| 5237 | 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60, | ||
| 5238 | 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4 | ||
| 5239 | }; | ||
| 5240 | 1 | secp256k1_sha256_initialize(&acc); | |
| 5241 |
2/2✓ Branch 0 taken 37 times.
✓ Branch 1 taken 1 times.
|
38 | for (i = 0; i <= 36; ++i) { |
| 5242 | 37 | secp256k1_scalar_set_int(&x, i); | |
| 5243 | 37 | test_ecmult_accumulate(&acc, &x, scratch); | |
| 5244 | 37 | secp256k1_scalar_negate(&x, &x); | |
| 5245 | 37 | test_ecmult_accumulate(&acc, &x, scratch); | |
| 5246 | }; | ||
| 5247 |
2/2✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
|
257 | for (i = 0; i < 256; ++i) { |
| 5248 |
2/2✓ Branch 0 taken 32768 times.
✓ Branch 1 taken 256 times.
|
33024 | for (j = 1; j < 256; j += 2) { |
| 5249 | 32768 | int k; | |
| 5250 | 32768 | secp256k1_scalar_set_int(&x, j); | |
| 5251 |
2/2✓ Branch 1 taken 4177920 times.
✓ Branch 2 taken 32768 times.
|
4210688 | for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x); |
| 5252 | 32768 | test_ecmult_accumulate(&acc, &x, scratch); | |
| 5253 | } | ||
| 5254 | } | ||
| 5255 | 1 | secp256k1_sha256_finalize(&acc, b32); | |
| 5256 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0); |
| 5257 | |||
| 5258 | 1 | secp256k1_scratch_space_destroy(ctx, scratch); | |
| 5259 | 1 | } | |
| 5260 | |||
| 5261 | 2 | void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) { | |
| 5262 | /* Using test_ecmult_accumulate, test ecmult for: | ||
| 5263 | * - Key 0 | ||
| 5264 | * - Key 1 | ||
| 5265 | * - Key -1 | ||
| 5266 | * - For i in range(iter): | ||
| 5267 | * - Key SHA256(LE32(prefix) || LE16(i)) | ||
| 5268 | */ | ||
| 5269 | 2 | secp256k1_scalar x; | |
| 5270 | 2 | secp256k1_sha256 acc; | |
| 5271 | 2 | unsigned char b32[32]; | |
| 5272 | 2 | unsigned char inp[6]; | |
| 5273 | 2 | size_t i; | |
| 5274 | 2 | secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536); | |
| 5275 | |||
| 5276 | 2 | inp[0] = prefix & 0xFF; | |
| 5277 | 2 | inp[1] = (prefix >> 8) & 0xFF; | |
| 5278 | 2 | inp[2] = (prefix >> 16) & 0xFF; | |
| 5279 | 2 | inp[3] = (prefix >> 24) & 0xFF; | |
| 5280 | 2 | secp256k1_sha256_initialize(&acc); | |
| 5281 | 2 | secp256k1_scalar_set_int(&x, 0); | |
| 5282 | 2 | test_ecmult_accumulate(&acc, &x, scratch); | |
| 5283 | 2 | secp256k1_scalar_set_int(&x, 1); | |
| 5284 | 2 | test_ecmult_accumulate(&acc, &x, scratch); | |
| 5285 | 2 | secp256k1_scalar_negate(&x, &x); | |
| 5286 | 2 | test_ecmult_accumulate(&acc, &x, scratch); | |
| 5287 | |||
| 5288 |
2/2✓ Branch 1 taken 3072 times.
✓ Branch 2 taken 2 times.
|
3076 | for (i = 0; i < iter; ++i) { |
| 5289 | 3072 | secp256k1_sha256 gen; | |
| 5290 | 3072 | inp[4] = i & 0xff; | |
| 5291 | 3072 | inp[5] = (i >> 8) & 0xff; | |
| 5292 | 3072 | secp256k1_sha256_initialize(&gen); | |
| 5293 | 3072 | secp256k1_sha256_write(&gen, inp, sizeof(inp)); | |
| 5294 | 3072 | secp256k1_sha256_finalize(&gen, b32); | |
| 5295 | 3072 | secp256k1_scalar_set_b32(&x, b32, NULL); | |
| 5296 | 3072 | test_ecmult_accumulate(&acc, &x, scratch); | |
| 5297 | } | ||
| 5298 | 2 | secp256k1_sha256_finalize(&acc, b32); | |
| 5299 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
4 | CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0); |
| 5300 | |||
| 5301 | 2 | secp256k1_scratch_space_destroy(ctx, scratch); | |
| 5302 | 2 | } | |
| 5303 | |||
| 5304 | 1 | void run_ecmult_constants(void) { | |
| 5305 | /* Expected hashes of all points in the tests below. Computed using an | ||
| 5306 | * independent implementation. */ | ||
| 5307 | 1 | static const unsigned char expected32_6bit20[32] = { | |
| 5308 | 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f, | ||
| 5309 | 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e, | ||
| 5310 | 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e, | ||
| 5311 | 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e | ||
| 5312 | }; | ||
| 5313 | 1 | static const unsigned char expected32_8bit8[32] = { | |
| 5314 | 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95, | ||
| 5315 | 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec, | ||
| 5316 | 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12, | ||
| 5317 | 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6 | ||
| 5318 | }; | ||
| 5319 | /* For every combination of 6 bit positions out of 256, restricted to | ||
| 5320 | * 20-bit windows (i.e., the first and last bit position are no more than | ||
| 5321 | * 19 bits apart), all 64 bit patterns occur in the input scalars used in | ||
| 5322 | * this test. */ | ||
| 5323 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") { |
| 5324 | 1 | test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20); | |
| 5325 | } | ||
| 5326 | |||
| 5327 | /* For every combination of 8 consecutive bit positions, all 256 bit | ||
| 5328 | * patterns occur in the input scalars used in this test. */ | ||
| 5329 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") { |
| 5330 | 1 | test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8); | |
| 5331 | } | ||
| 5332 | |||
| 5333 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") { |
| 5334 | 1 | test_ecmult_constants_2bit(); | |
| 5335 | } | ||
| 5336 | 1 | } | |
| 5337 | |||
| 5338 | 10 | void test_ecmult_gen_blind(void) { | |
| 5339 | /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */ | ||
| 5340 | 10 | secp256k1_scalar key; | |
| 5341 | 10 | secp256k1_scalar b; | |
| 5342 | 10 | unsigned char seed32[32]; | |
| 5343 | 10 | secp256k1_gej pgej; | |
| 5344 | 10 | secp256k1_gej pgej2; | |
| 5345 | 10 | secp256k1_gej i; | |
| 5346 | 10 | secp256k1_ge pge; | |
| 5347 | 10 | random_scalar_order_test(&key); | |
| 5348 | 10 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key); | |
| 5349 | 10 | secp256k1_testrand256(seed32); | |
| 5350 | 10 | b = ctx->ecmult_gen_ctx.blind; | |
| 5351 | 10 | i = ctx->ecmult_gen_ctx.initial; | |
| 5352 | 10 | secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); | |
| 5353 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); |
| 5354 | 10 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key); | |
| 5355 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); |
| 5356 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
|
10 | CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial)); |
| 5357 | 10 | secp256k1_ge_set_gej(&pge, &pgej); | |
| 5358 | 10 | ge_equals_gej(&pge, &pgej2); | |
| 5359 | 10 | } | |
| 5360 | |||
| 5361 | 1 | void test_ecmult_gen_blind_reset(void) { | |
| 5362 | /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ | ||
| 5363 | 1 | secp256k1_scalar b; | |
| 5364 | 1 | secp256k1_gej initial; | |
| 5365 | 1 | secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); | |
| 5366 | 1 | b = ctx->ecmult_gen_ctx.blind; | |
| 5367 | 1 | initial = ctx->ecmult_gen_ctx.initial; | |
| 5368 | 1 | secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); | |
| 5369 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); |
| 5370 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial)); |
| 5371 | 1 | } | |
| 5372 | |||
| 5373 | 1 | void run_ecmult_gen_blind(void) { | |
| 5374 | 1 | int i; | |
| 5375 | 1 | test_ecmult_gen_blind_reset(); | |
| 5376 |
2/2✓ Branch 1 taken 10 times.
✓ Branch 2 taken 1 times.
|
12 | for (i = 0; i < 10; i++) { |
| 5377 | 10 | test_ecmult_gen_blind(); | |
| 5378 | } | ||
| 5379 | 1 | } | |
| 5380 | |||
| 5381 | /***** ENDOMORPHISH TESTS *****/ | ||
| 5382 | 6425 | void test_scalar_split(const secp256k1_scalar* full) { | |
| 5383 | 6425 | secp256k1_scalar s, s1, slam; | |
| 5384 | 6425 | const unsigned char zero[32] = {0}; | |
| 5385 | 6425 | unsigned char tmp[32]; | |
| 5386 | |||
| 5387 | 6425 | secp256k1_scalar_split_lambda(&s1, &slam, full); | |
| 5388 | |||
| 5389 | /* check slam*lambda + s1 == full */ | ||
| 5390 | 6425 | secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam); | |
| 5391 | 6425 | secp256k1_scalar_add(&s, &s, &s1); | |
| 5392 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 6425 times.
|
6425 | CHECK(secp256k1_scalar_eq(&s, full)); |
| 5393 | |||
| 5394 | /* check that both are <= 128 bits in size */ | ||
| 5395 |
2/2✓ Branch 0 taken 3173 times.
✓ Branch 1 taken 3252 times.
|
6425 | if (secp256k1_scalar_is_high(&s1)) { |
| 5396 | 3173 | secp256k1_scalar_negate(&s1, &s1); | |
| 5397 | } | ||
| 5398 |
2/2✓ Branch 0 taken 3210 times.
✓ Branch 1 taken 3215 times.
|
6425 | if (secp256k1_scalar_is_high(&slam)) { |
| 5399 | 3210 | secp256k1_scalar_negate(&slam, &slam); | |
| 5400 | } | ||
| 5401 | |||
| 5402 | 6425 | secp256k1_scalar_get_b32(tmp, &s1); | |
| 5403 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 6425 times.
|
12850 | CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0); |
| 5404 | 6425 | secp256k1_scalar_get_b32(tmp, &slam); | |
| 5405 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 6425 times.
|
12850 | CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0); |
| 5406 | 6425 | } | |
| 5407 | |||
| 5408 | |||
| 5409 | 1 | void run_endomorphism_tests(void) { | |
| 5410 | 1 | unsigned i; | |
| 5411 | 1 | static secp256k1_scalar s; | |
| 5412 | 1 | test_scalar_split(&secp256k1_scalar_zero); | |
| 5413 | 1 | test_scalar_split(&secp256k1_scalar_one); | |
| 5414 | 1 | secp256k1_scalar_negate(&s,&secp256k1_scalar_one); | |
| 5415 | 1 | test_scalar_split(&s); | |
| 5416 | 1 | test_scalar_split(&secp256k1_const_lambda); | |
| 5417 | 1 | secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one); | |
| 5418 | 1 | test_scalar_split(&s); | |
| 5419 | |||
| 5420 |
2/2✓ Branch 1 taken 6400 times.
✓ Branch 2 taken 1 times.
|
6402 | for (i = 0; i < 100U * count; ++i) { |
| 5421 | 6400 | secp256k1_scalar full; | |
| 5422 | 6400 | random_scalar_order_test(&full); | |
| 5423 | 6400 | test_scalar_split(&full); | |
| 5424 | } | ||
| 5425 |
2/2✓ Branch 0 taken 20 times.
✓ Branch 1 taken 1 times.
|
21 | for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) { |
| 5426 | 20 | test_scalar_split(&scalars_near_split_bounds[i]); | |
| 5427 | } | ||
| 5428 | 1 | } | |
| 5429 | |||
| 5430 | 23 | void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) { | |
| 5431 | 23 | unsigned char pubkeyc[65]; | |
| 5432 | 23 | secp256k1_pubkey pubkey; | |
| 5433 | 23 | secp256k1_ge ge; | |
| 5434 | 23 | size_t pubkeyclen; | |
| 5435 | 23 | int32_t ecount; | |
| 5436 | 23 | ecount = 0; | |
| 5437 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
|
23 | secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); |
| 5438 |
2/2✓ Branch 0 taken 1449 times.
✓ Branch 1 taken 23 times.
|
1472 | for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) { |
| 5439 | /* Smaller sizes are tested exhaustively elsewhere. */ | ||
| 5440 | 1449 | int32_t i; | |
| 5441 | 1449 | memcpy(&pubkeyc[1], input, 64); | |
| 5442 | 1449 | VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen); | |
| 5443 |
2/2✓ Branch 0 taken 370944 times.
✓ Branch 1 taken 1449 times.
|
372393 | for (i = 0; i < 256; i++) { |
| 5444 | /* Try all type bytes. */ | ||
| 5445 | 370944 | int xpass; | |
| 5446 | 370944 | int ypass; | |
| 5447 | 370944 | int ysign; | |
| 5448 | 370944 | pubkeyc[0] = i; | |
| 5449 | /* What sign does this point have? */ | ||
| 5450 | 370944 | ysign = (input[63] & 1) + 2; | |
| 5451 | /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */ | ||
| 5452 |
4/4✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 366848 times.
✓ Branch 2 taken 4064 times.
✓ Branch 3 taken 32 times.
|
370944 | xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2); |
| 5453 | /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */ | ||
| 5454 |
6/6✓ Branch 0 taken 190464 times.
✓ Branch 1 taken 3072 times.
✓ Branch 2 taken 96768 times.
✓ Branch 3 taken 96768 times.
✓ Branch 4 taken 96756 times.
✓ Branch 5 taken 12 times.
|
384000 | ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) && |
| 5455 |
6/6✓ Branch 0 taken 193536 times.
✓ Branch 1 taken 177408 times.
✓ Branch 2 taken 756 times.
✓ Branch 3 taken 96000 times.
✓ Branch 4 taken 732 times.
✓ Branch 5 taken 36 times.
|
467712 | ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65)); |
| 5456 |
2/2✓ Branch 0 taken 56 times.
✓ Branch 1 taken 370888 times.
|
370944 | if (xpass || ypass) { |
| 5457 | /* These cases must parse. */ | ||
| 5458 | 56 | unsigned char pubkeyo[65]; | |
| 5459 | 56 | size_t outl; | |
| 5460 | 56 | memset(&pubkey, 0, sizeof(pubkey)); | |
| 5461 | 56 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5462 | 56 | ecount = 0; | |
| 5463 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 56 times.
|
56 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); |
| 5464 | 56 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5465 | 56 | outl = 65; | |
| 5466 | 56 | VG_UNDEF(pubkeyo, 65); | |
| 5467 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 56 times.
|
56 | CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); |
| 5468 | 56 | VG_CHECK(pubkeyo, outl); | |
| 5469 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 56 times.
|
56 | CHECK(outl == 33); |
| 5470 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 56 times.
|
56 | CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0); |
| 5471 |
3/4✓ Branch 0 taken 32 times.
✓ Branch 1 taken 24 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 32 times.
|
56 | CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0])); |
| 5472 |
2/2✓ Branch 0 taken 36 times.
✓ Branch 1 taken 20 times.
|
56 | if (ypass) { |
| 5473 | /* This test isn't always done because we decode with alternative signs, so the y won't match. */ | ||
| 5474 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
|
36 | CHECK(pubkeyo[0] == ysign); |
| 5475 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 36 times.
|
36 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1); |
| 5476 | 36 | memset(&pubkey, 0, sizeof(pubkey)); | |
| 5477 | 36 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5478 | 36 | secp256k1_pubkey_save(&pubkey, &ge); | |
| 5479 | 36 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5480 | 36 | outl = 65; | |
| 5481 | 36 | VG_UNDEF(pubkeyo, 65); | |
| 5482 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 36 times.
|
36 | CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); |
| 5483 | 36 | VG_CHECK(pubkeyo, outl); | |
| 5484 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
|
36 | CHECK(outl == 65); |
| 5485 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
|
36 | CHECK(pubkeyo[0] == 4); |
| 5486 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
|
36 | CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0); |
| 5487 | } | ||
| 5488 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 56 times.
|
56 | CHECK(ecount == 0); |
| 5489 | } else { | ||
| 5490 | /* These cases must fail to parse. */ | ||
| 5491 | 370888 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5492 | 370888 | ecount = 0; | |
| 5493 | 370888 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5494 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 370888 times.
|
370888 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0); |
| 5495 | 370888 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5496 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 370888 times.
|
370888 | CHECK(ecount == 0); |
| 5497 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 370888 times.
|
370888 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5498 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 370888 times.
|
370944 | CHECK(ecount == 1); |
| 5499 | } | ||
| 5500 | } | ||
| 5501 | } | ||
| 5502 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
|
23 | secp256k1_context_set_illegal_callback(ctx, NULL, NULL); |
| 5503 | 23 | } | |
| 5504 | |||
| 5505 | 1 | void run_ec_pubkey_parse_test(void) { | |
| 5506 | #define SECP256K1_EC_PARSE_TEST_NVALID (12) | ||
| 5507 | 1 | const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = { | |
| 5508 | { | ||
| 5509 | /* Point with leading and trailing zeros in x and y serialization. */ | ||
| 5510 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52, | ||
| 5511 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5512 | 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83, | ||
| 5513 | 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00 | ||
| 5514 | }, | ||
| 5515 | { | ||
| 5516 | /* Point with x equal to a 3rd root of unity.*/ | ||
| 5517 | 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9, | ||
| 5518 | 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee, | ||
| 5519 | 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, | ||
| 5520 | 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, | ||
| 5521 | }, | ||
| 5522 | { | ||
| 5523 | /* Point with largest x. (1/2) */ | ||
| 5524 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5525 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, | ||
| 5526 | 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e, | ||
| 5527 | 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d, | ||
| 5528 | }, | ||
| 5529 | { | ||
| 5530 | /* Point with largest x. (2/2) */ | ||
| 5531 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5532 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, | ||
| 5533 | 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1, | ||
| 5534 | 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2, | ||
| 5535 | }, | ||
| 5536 | { | ||
| 5537 | /* Point with smallest x. (1/2) */ | ||
| 5538 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5539 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 5540 | 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, | ||
| 5541 | 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, | ||
| 5542 | }, | ||
| 5543 | { | ||
| 5544 | /* Point with smallest x. (2/2) */ | ||
| 5545 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5546 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 5547 | 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, | ||
| 5548 | 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, | ||
| 5549 | }, | ||
| 5550 | { | ||
| 5551 | /* Point with largest y. (1/3) */ | ||
| 5552 | 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, | ||
| 5553 | 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, | ||
| 5554 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5555 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, | ||
| 5556 | }, | ||
| 5557 | { | ||
| 5558 | /* Point with largest y. (2/3) */ | ||
| 5559 | 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, | ||
| 5560 | 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, | ||
| 5561 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5562 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, | ||
| 5563 | }, | ||
| 5564 | { | ||
| 5565 | /* Point with largest y. (3/3) */ | ||
| 5566 | 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, | ||
| 5567 | 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, | ||
| 5568 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5569 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, | ||
| 5570 | }, | ||
| 5571 | { | ||
| 5572 | /* Point with smallest y. (1/3) */ | ||
| 5573 | 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, | ||
| 5574 | 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, | ||
| 5575 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5576 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 5577 | }, | ||
| 5578 | { | ||
| 5579 | /* Point with smallest y. (2/3) */ | ||
| 5580 | 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, | ||
| 5581 | 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, | ||
| 5582 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5583 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 5584 | }, | ||
| 5585 | { | ||
| 5586 | /* Point with smallest y. (3/3) */ | ||
| 5587 | 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, | ||
| 5588 | 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, | ||
| 5589 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5590 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 | ||
| 5591 | } | ||
| 5592 | }; | ||
| 5593 | #define SECP256K1_EC_PARSE_TEST_NXVALID (4) | ||
| 5594 | 1 | const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = { | |
| 5595 | { | ||
| 5596 | /* Valid if y overflow ignored (y = 1 mod p). (1/3) */ | ||
| 5597 | 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, | ||
| 5598 | 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, | ||
| 5599 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5600 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, | ||
| 5601 | }, | ||
| 5602 | { | ||
| 5603 | /* Valid if y overflow ignored (y = 1 mod p). (2/3) */ | ||
| 5604 | 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, | ||
| 5605 | 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, | ||
| 5606 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5607 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, | ||
| 5608 | }, | ||
| 5609 | { | ||
| 5610 | /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/ | ||
| 5611 | 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, | ||
| 5612 | 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, | ||
| 5613 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5614 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, | ||
| 5615 | }, | ||
| 5616 | { | ||
| 5617 | /* x on curve, y is from y^2 = x^3 + 8. */ | ||
| 5618 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5619 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 5620 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5621 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 | ||
| 5622 | } | ||
| 5623 | }; | ||
| 5624 | #define SECP256K1_EC_PARSE_TEST_NINVALID (7) | ||
| 5625 | 1 | const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = { | |
| 5626 | { | ||
| 5627 | /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */ | ||
| 5628 | 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c, | ||
| 5629 | 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53, | ||
| 5630 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5631 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 5632 | }, | ||
| 5633 | { | ||
| 5634 | /* Valid if x overflow ignored (x = 1 mod p). */ | ||
| 5635 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5636 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, | ||
| 5637 | 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, | ||
| 5638 | 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, | ||
| 5639 | }, | ||
| 5640 | { | ||
| 5641 | /* Valid if x overflow ignored (x = 1 mod p). */ | ||
| 5642 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5643 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, | ||
| 5644 | 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, | ||
| 5645 | 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, | ||
| 5646 | }, | ||
| 5647 | { | ||
| 5648 | /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ | ||
| 5649 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5650 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, | ||
| 5651 | 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f, | ||
| 5652 | 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28, | ||
| 5653 | }, | ||
| 5654 | { | ||
| 5655 | /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ | ||
| 5656 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5657 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, | ||
| 5658 | 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0, | ||
| 5659 | 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07, | ||
| 5660 | }, | ||
| 5661 | { | ||
| 5662 | /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ | ||
| 5663 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5664 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5665 | 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d, | ||
| 5666 | 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc, | ||
| 5667 | }, | ||
| 5668 | { | ||
| 5669 | /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ | ||
| 5670 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5671 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 5672 | 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2, | ||
| 5673 | 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53 | ||
| 5674 | } | ||
| 5675 | }; | ||
| 5676 | 1 | const unsigned char pubkeyc[66] = { | |
| 5677 | /* Serialization of G. */ | ||
| 5678 | 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, | ||
| 5679 | 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, | ||
| 5680 | 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08, | ||
| 5681 | 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4, | ||
| 5682 | 0xB8, 0x00 | ||
| 5683 | }; | ||
| 5684 | 1 | unsigned char sout[65]; | |
| 5685 | 1 | unsigned char shortkey[2]; | |
| 5686 | 1 | secp256k1_ge ge; | |
| 5687 | 1 | secp256k1_pubkey pubkey; | |
| 5688 | 1 | size_t len; | |
| 5689 | 1 | int32_t i; | |
| 5690 | 1 | int32_t ecount; | |
| 5691 | 1 | int32_t ecount2; | |
| 5692 | 1 | ecount = 0; | |
| 5693 | /* Nothing should be reading this far into pubkeyc. */ | ||
| 5694 | 1 | VG_UNDEF(&pubkeyc[65], 1); | |
| 5695 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); |
| 5696 | /* Zero length claimed, fail, zeroize, no illegal arg error. */ | ||
| 5697 | 1 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5698 | 1 | ecount = 0; | |
| 5699 | 1 | VG_UNDEF(shortkey, 2); | |
| 5700 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5701 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0); |
| 5702 | 1 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5703 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5704 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5705 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5706 | /* Length one claimed, fail, zeroize, no illegal arg error. */ | ||
| 5707 |
2/2✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
|
257 | for (i = 0; i < 256 ; i++) { |
| 5708 | 256 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5709 | 256 | ecount = 0; | |
| 5710 | 256 | shortkey[0] = i; | |
| 5711 | 256 | VG_UNDEF(&shortkey[1], 1); | |
| 5712 | 256 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5713 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 256 times.
|
256 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0); |
| 5714 | 256 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5715 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
|
256 | CHECK(ecount == 0); |
| 5716 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 256 times.
|
256 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5717 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
|
256 | CHECK(ecount == 1); |
| 5718 | } | ||
| 5719 | /* Length two claimed, fail, zeroize, no illegal arg error. */ | ||
| 5720 |
2/2✓ Branch 0 taken 65536 times.
✓ Branch 1 taken 1 times.
|
65537 | for (i = 0; i < 65536 ; i++) { |
| 5721 | 65536 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5722 | 65536 | ecount = 0; | |
| 5723 | 65536 | shortkey[0] = i & 255; | |
| 5724 | 65536 | shortkey[1] = i >> 8; | |
| 5725 | 65536 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5726 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 65536 times.
|
65536 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0); |
| 5727 | 65536 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5728 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 65536 times.
|
65536 | CHECK(ecount == 0); |
| 5729 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 65536 times.
|
65536 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5730 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 65536 times.
|
65536 | CHECK(ecount == 1); |
| 5731 | } | ||
| 5732 | 1 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5733 | 1 | ecount = 0; | |
| 5734 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5735 | /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */ | ||
| 5736 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0); |
| 5737 | 1 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5738 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5739 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5740 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5741 | /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */ | ||
| 5742 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0); |
| 5743 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 5744 | /* NULL input string. Illegal arg and zeroize output. */ | ||
| 5745 | 1 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5746 | 1 | ecount = 0; | |
| 5747 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5748 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0); |
| 5749 | 1 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5750 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5751 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5752 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 5753 | /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */ | ||
| 5754 | 1 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5755 | 1 | ecount = 0; | |
| 5756 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5757 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0); |
| 5758 | 1 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5759 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5760 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5761 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5762 | /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */ | ||
| 5763 | 1 | memset(&pubkey, 0xfe, sizeof(pubkey)); | |
| 5764 | 1 | ecount = 0; | |
| 5765 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5766 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0); |
| 5767 | 1 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5768 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5769 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); |
| 5770 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5771 | /* Valid parse. */ | ||
| 5772 | 1 | memset(&pubkey, 0, sizeof(pubkey)); | |
| 5773 | 1 | ecount = 0; | |
| 5774 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5775 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1); |
| 5776 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1); |
| 5777 | 1 | VG_CHECK(&pubkey, sizeof(pubkey)); | |
| 5778 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5779 | 1 | VG_UNDEF(&ge, sizeof(ge)); | |
| 5780 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1); |
| 5781 | 1 | VG_CHECK(&ge.x, sizeof(ge.x)); | |
| 5782 | 1 | VG_CHECK(&ge.y, sizeof(ge.y)); | |
| 5783 | 1 | VG_CHECK(&ge.infinity, sizeof(ge.infinity)); | |
| 5784 | 1 | ge_equals_ge(&secp256k1_ge_const_g, &ge); | |
| 5785 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5786 | /* secp256k1_ec_pubkey_serialize illegal args. */ | ||
| 5787 | 1 | ecount = 0; | |
| 5788 | 1 | len = 65; | |
| 5789 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); |
| 5790 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5791 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(len == 0); |
| 5792 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); |
| 5793 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 5794 | 1 | len = 65; | |
| 5795 | 1 | VG_UNDEF(sout, 65); | |
| 5796 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0); |
| 5797 | 1 | VG_CHECK(sout, 65); | |
| 5798 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 5799 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(len == 0); |
| 5800 | 1 | len = 65; | |
| 5801 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0); |
| 5802 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 4); |
| 5803 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(len == 0); |
| 5804 | 1 | len = 65; | |
| 5805 | 1 | VG_UNDEF(sout, 65); | |
| 5806 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); |
| 5807 | 1 | VG_CHECK(sout, 65); | |
| 5808 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 4); |
| 5809 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(len == 65); |
| 5810 | /* Multiple illegal args. Should still set arg error only once. */ | ||
| 5811 | 1 | ecount = 0; | |
| 5812 | 1 | ecount2 = 11; | |
| 5813 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); |
| 5814 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5815 | /* Does the illegal arg callback actually change the behavior? */ | ||
| 5816 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2); |
| 5817 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); |
| 5818 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5819 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount2 == 10); |
| 5820 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, NULL, NULL); |
| 5821 | /* Try a bunch of prefabbed points with all possible encodings. */ | ||
| 5822 |
2/2✓ Branch 0 taken 12 times.
✓ Branch 1 taken 1 times.
|
13 | for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) { |
| 5823 | 12 | ec_pubkey_parse_pointtest(valid[i], 1, 1); | |
| 5824 | } | ||
| 5825 |
2/2✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
|
5 | for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) { |
| 5826 | 4 | ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0); | |
| 5827 | } | ||
| 5828 |
2/2✓ Branch 0 taken 7 times.
✓ Branch 1 taken 1 times.
|
8 | for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) { |
| 5829 | 7 | ec_pubkey_parse_pointtest(invalid[i], 0, 0); | |
| 5830 | } | ||
| 5831 | 1 | } | |
| 5832 | |||
| 5833 | 1 | void run_eckey_edge_case_test(void) { | |
| 5834 | 1 | const unsigned char orderc[32] = { | |
| 5835 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 5836 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, | ||
| 5837 | 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, | ||
| 5838 | 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 | ||
| 5839 | }; | ||
| 5840 | 1 | const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00}; | |
| 5841 | 1 | unsigned char ctmp[33]; | |
| 5842 | 1 | unsigned char ctmp2[33]; | |
| 5843 | 1 | secp256k1_pubkey pubkey; | |
| 5844 | 1 | secp256k1_pubkey pubkey2; | |
| 5845 | 1 | secp256k1_pubkey pubkey_one; | |
| 5846 | 1 | secp256k1_pubkey pubkey_negone; | |
| 5847 | 1 | const secp256k1_pubkey *pubkeys[3]; | |
| 5848 | 1 | size_t len; | |
| 5849 | 1 | int32_t ecount; | |
| 5850 | /* Group order is too large, reject. */ | ||
| 5851 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0); |
| 5852 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5853 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0); |
| 5854 | VG_CHECK(&pubkey, sizeof(pubkey)); | ||
| 5855 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 5856 | /* Maximum value is too large, reject. */ | ||
| 5857 | 1 | memset(ctmp, 255, 32); | |
| 5858 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0); |
| 5859 | 1 | memset(&pubkey, 1, sizeof(pubkey)); | |
| 5860 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5861 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); |
| 5862 | VG_CHECK(&pubkey, sizeof(pubkey)); | ||
| 5863 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 5864 | /* Zero is too small, reject. */ | ||
| 5865 | 1 | memset(ctmp, 0, 32); | |
| 5866 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0); |
| 5867 | 1 | memset(&pubkey, 1, sizeof(pubkey)); | |
| 5868 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5869 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); |
| 5870 | VG_CHECK(&pubkey, sizeof(pubkey)); | ||
| 5871 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 5872 | /* One must be accepted. */ | ||
| 5873 | 1 | ctmp[31] = 0x01; | |
| 5874 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1); |
| 5875 | 1 | memset(&pubkey, 0, sizeof(pubkey)); | |
| 5876 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5877 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); |
| 5878 | VG_CHECK(&pubkey, sizeof(pubkey)); | ||
| 5879 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); |
| 5880 | 1 | pubkey_one = pubkey; | |
| 5881 | /* Group order + 1 is too large, reject. */ | ||
| 5882 | 1 | memcpy(ctmp, orderc, 32); | |
| 5883 | 1 | ctmp[31] = 0x42; | |
| 5884 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0); |
| 5885 | 1 | memset(&pubkey, 1, sizeof(pubkey)); | |
| 5886 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5887 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); |
| 5888 | VG_CHECK(&pubkey, sizeof(pubkey)); | ||
| 5889 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 5890 | /* -1 must be accepted. */ | ||
| 5891 | 1 | ctmp[31] = 0x40; | |
| 5892 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1); |
| 5893 | 1 | memset(&pubkey, 0, sizeof(pubkey)); | |
| 5894 | 1 | VG_UNDEF(&pubkey, sizeof(pubkey)); | |
| 5895 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); |
| 5896 | VG_CHECK(&pubkey, sizeof(pubkey)); | ||
| 5897 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); |
| 5898 | 1 | pubkey_negone = pubkey; | |
| 5899 | /* Tweak of zero leaves the value unchanged. */ | ||
| 5900 | 1 | memset(ctmp2, 0, 32); | |
| 5901 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1); |
| 5902 |
2/4✓ Branch 0 taken 1 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); |
| 5903 | 1 | memcpy(&pubkey2, &pubkey, sizeof(pubkey)); | |
| 5904 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); |
| 5905 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); |
| 5906 | /* Multiply tweak of zero zeroizes the output. */ | ||
| 5907 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); |
| 5908 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); |
| 5909 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0); |
| 5910 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); |
| 5911 | 1 | memcpy(&pubkey, &pubkey2, sizeof(pubkey)); | |
| 5912 | /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing | ||
| 5913 | seckey, the seckey is zeroized. */ | ||
| 5914 | 1 | memcpy(ctmp, orderc, 32); | |
| 5915 | 1 | memset(ctmp2, 0, 32); | |
| 5916 | 1 | ctmp2[31] = 0x01; | |
| 5917 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1); |
| 5918 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0); |
| 5919 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0); |
| 5920 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); |
| 5921 | 1 | memcpy(ctmp, orderc, 32); | |
| 5922 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); |
| 5923 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); |
| 5924 | /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing | ||
| 5925 | tweak, the seckey is zeroized. */ | ||
| 5926 | 1 | memcpy(ctmp, orderc, 32); | |
| 5927 | 1 | ctmp[31] = 0x40; | |
| 5928 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0); |
| 5929 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); |
| 5930 | 1 | memcpy(ctmp, orderc, 32); | |
| 5931 | 1 | ctmp[31] = 0x40; | |
| 5932 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0); |
| 5933 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); |
| 5934 | 1 | memcpy(ctmp, orderc, 32); | |
| 5935 | 1 | ctmp[31] = 0x40; | |
| 5936 | /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing | ||
| 5937 | tweak, the pubkey is zeroized. */ | ||
| 5938 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0); |
| 5939 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); |
| 5940 | 1 | memcpy(&pubkey, &pubkey2, sizeof(pubkey)); | |
| 5941 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0); |
| 5942 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); |
| 5943 | 1 | memcpy(&pubkey, &pubkey2, sizeof(pubkey)); | |
| 5944 | /* If the resulting key in secp256k1_ec_seckey_tweak_add and | ||
| 5945 | * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter | ||
| 5946 | * case the pubkey is zeroized. */ | ||
| 5947 | 1 | memcpy(ctmp, orderc, 32); | |
| 5948 | 1 | ctmp[31] = 0x40; | |
| 5949 | 1 | memset(ctmp2, 0, 32); | |
| 5950 | 1 | ctmp2[31] = 1; | |
| 5951 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0); |
| 5952 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0); |
| 5953 | 1 | ctmp2[31] = 1; | |
| 5954 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); |
| 5955 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); |
| 5956 | 1 | memcpy(&pubkey, &pubkey2, sizeof(pubkey)); | |
| 5957 | /* Tweak computation wraps and results in a key of 1. */ | ||
| 5958 | 1 | ctmp2[31] = 2; | |
| 5959 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1); |
| 5960 |
2/4✓ Branch 0 taken 1 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); |
| 5961 | 1 | ctmp2[31] = 2; | |
| 5962 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); |
| 5963 | 1 | ctmp2[31] = 1; | |
| 5964 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1); |
| 5965 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); |
| 5966 | /* Tweak mul * 2 = 1+1. */ | ||
| 5967 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); |
| 5968 | 1 | ctmp2[31] = 2; | |
| 5969 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1); |
| 5970 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); |
| 5971 | /* Test argument errors. */ | ||
| 5972 | 1 | ecount = 0; | |
| 5973 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); |
| 5974 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5975 | /* Zeroize pubkey on parse error. */ | ||
| 5976 | 1 | memset(&pubkey, 0, 32); | |
| 5977 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); |
| 5978 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5979 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); |
| 5980 | 1 | memcpy(&pubkey, &pubkey2, sizeof(pubkey)); | |
| 5981 | 1 | memset(&pubkey2, 0, 32); | |
| 5982 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0); |
| 5983 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 5984 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0); |
| 5985 | /* Plain argument errors. */ | ||
| 5986 | 1 | ecount = 0; | |
| 5987 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1); |
| 5988 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 5989 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0); |
| 5990 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5991 | 1 | ecount = 0; | |
| 5992 | 1 | memset(ctmp2, 0, 32); | |
| 5993 | 1 | ctmp2[31] = 4; | |
| 5994 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0); |
| 5995 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 5996 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0); |
| 5997 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 5998 | 1 | ecount = 0; | |
| 5999 | 1 | memset(ctmp2, 0, 32); | |
| 6000 | 1 | ctmp2[31] = 4; | |
| 6001 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0); |
| 6002 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 6003 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0); |
| 6004 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6005 | 1 | ecount = 0; | |
| 6006 | 1 | memset(ctmp2, 0, 32); | |
| 6007 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0); |
| 6008 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 6009 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0); |
| 6010 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6011 | 1 | ecount = 0; | |
| 6012 | 1 | memset(ctmp2, 0, 32); | |
| 6013 | 1 | ctmp2[31] = 1; | |
| 6014 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0); |
| 6015 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 6016 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0); |
| 6017 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6018 | 1 | ecount = 0; | |
| 6019 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0); |
| 6020 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 6021 | 1 | memset(&pubkey, 1, sizeof(pubkey)); | |
| 6022 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0); |
| 6023 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6024 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 6025 | /* secp256k1_ec_pubkey_combine tests. */ | ||
| 6026 | 1 | ecount = 0; | |
| 6027 | 1 | pubkeys[0] = &pubkey_one; | |
| 6028 | 1 | VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *)); | |
| 6029 | 1 | VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *)); | |
| 6030 | 1 | VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *)); | |
| 6031 | 1 | memset(&pubkey, 255, sizeof(secp256k1_pubkey)); | |
| 6032 | 1 | VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); | |
| 6033 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0); |
| 6034 | VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); | ||
| 6035 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 6036 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 6037 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0); |
| 6038 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 6039 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6040 | 1 | memset(&pubkey, 255, sizeof(secp256k1_pubkey)); | |
| 6041 | 1 | VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); | |
| 6042 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0); |
| 6043 | VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); | ||
| 6044 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 6045 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 6046 | 1 | pubkeys[0] = &pubkey_negone; | |
| 6047 | 1 | memset(&pubkey, 255, sizeof(secp256k1_pubkey)); | |
| 6048 | 1 | VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); | |
| 6049 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1); |
| 6050 | VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); | ||
| 6051 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); |
| 6052 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 6053 | 1 | len = 33; | |
| 6054 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); |
| 6055 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); |
| 6056 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0); |
| 6057 | /* Result is infinity. */ | ||
| 6058 | 1 | pubkeys[0] = &pubkey_one; | |
| 6059 | 1 | pubkeys[1] = &pubkey_negone; | |
| 6060 | 1 | memset(&pubkey, 255, sizeof(secp256k1_pubkey)); | |
| 6061 | 1 | VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); | |
| 6062 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0); |
| 6063 | VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); | ||
| 6064 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); |
| 6065 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 6066 | /* Passes through infinity but comes out one. */ | ||
| 6067 | 1 | pubkeys[2] = &pubkey_one; | |
| 6068 | 1 | memset(&pubkey, 255, sizeof(secp256k1_pubkey)); | |
| 6069 | 1 | VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); | |
| 6070 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1); |
| 6071 | VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); | ||
| 6072 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); |
| 6073 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 6074 | 1 | len = 33; | |
| 6075 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); |
| 6076 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); |
| 6077 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0); |
| 6078 | /* Adds to two. */ | ||
| 6079 | 1 | pubkeys[1] = &pubkey_one; | |
| 6080 | 1 | memset(&pubkey, 255, sizeof(secp256k1_pubkey)); | |
| 6081 | 1 | VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); | |
| 6082 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1); |
| 6083 | VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); | ||
| 6084 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); |
| 6085 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 6086 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, NULL, NULL); |
| 6087 | 1 | } | |
| 6088 | |||
| 6089 | 1 | void run_eckey_negate_test(void) { | |
| 6090 | 1 | unsigned char seckey[32]; | |
| 6091 | 1 | unsigned char seckey_tmp[32]; | |
| 6092 | |||
| 6093 | 1 | random_scalar_order_b32(seckey); | |
| 6094 | 1 | memcpy(seckey_tmp, seckey, 32); | |
| 6095 | |||
| 6096 | /* Verify negation changes the key and changes it back */ | ||
| 6097 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1); |
| 6098 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0); |
| 6099 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1); |
| 6100 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); |
| 6101 | |||
| 6102 | /* Check that privkey alias gives same result */ | ||
| 6103 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1); |
| 6104 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1); |
| 6105 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); |
| 6106 | |||
| 6107 | /* Negating all 0s fails */ | ||
| 6108 | 1 | memset(seckey, 0, 32); | |
| 6109 | 1 | memset(seckey_tmp, 0, 32); | |
| 6110 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0); |
| 6111 | /* Check that seckey is not modified */ | ||
| 6112 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); |
| 6113 | |||
| 6114 | /* Negating an overflowing seckey fails and the seckey is zeroed. In this | ||
| 6115 | * test, the seckey has 16 random bytes to ensure that ec_seckey_negate | ||
| 6116 | * doesn't just set seckey to a constant value in case of failure. */ | ||
| 6117 | 1 | random_scalar_order_b32(seckey); | |
| 6118 | 1 | memset(seckey, 0xFF, 16); | |
| 6119 | 1 | memset(seckey_tmp, 0, 32); | |
| 6120 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0); |
| 6121 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); |
| 6122 | 1 | } | |
| 6123 | |||
| 6124 | 640 | void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) { | |
| 6125 | 640 | secp256k1_scalar nonce; | |
| 6126 | 640 | do { | |
| 6127 | 640 | random_scalar_order_test(&nonce); | |
| 6128 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 640 times.
|
640 | } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); |
| 6129 | 640 | } | |
| 6130 | |||
| 6131 | 640 | void test_ecdsa_sign_verify(void) { | |
| 6132 | 640 | secp256k1_gej pubj; | |
| 6133 | 640 | secp256k1_ge pub; | |
| 6134 | 640 | secp256k1_scalar one; | |
| 6135 | 640 | secp256k1_scalar msg, key; | |
| 6136 | 640 | secp256k1_scalar sigr, sigs; | |
| 6137 | 640 | int getrec; | |
| 6138 | 640 | int recid; | |
| 6139 | 640 | random_scalar_order_test(&msg); | |
| 6140 | 640 | random_scalar_order_test(&key); | |
| 6141 | 640 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key); | |
| 6142 | 640 | secp256k1_ge_set_gej(&pub, &pubj); | |
| 6143 | 640 | getrec = secp256k1_testrand_bits(1); | |
| 6144 | /* The specific way in which this conditional is written sidesteps a potential bug in clang. | ||
| 6145 | See the commit messages of the commit that introduced this comment for details. */ | ||
| 6146 |
2/2✓ Branch 0 taken 325 times.
✓ Branch 1 taken 315 times.
|
640 | if (getrec) { |
| 6147 | 325 | random_sign(&sigr, &sigs, &key, &msg, &recid); | |
| 6148 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 325 times.
|
325 | CHECK(recid >= 0 && recid < 4); |
| 6149 | } else { | ||
| 6150 | 315 | random_sign(&sigr, &sigs, &key, &msg, NULL); | |
| 6151 | } | ||
| 6152 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 640 times.
|
640 | CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); |
| 6153 | 640 | secp256k1_scalar_set_int(&one, 1); | |
| 6154 | 640 | secp256k1_scalar_add(&msg, &msg, &one); | |
| 6155 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 640 times.
|
640 | CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); |
| 6156 | 640 | } | |
| 6157 | |||
| 6158 | 1 | void run_ecdsa_sign_verify(void) { | |
| 6159 | 1 | int i; | |
| 6160 |
2/2✓ Branch 0 taken 640 times.
✓ Branch 1 taken 1 times.
|
641 | for (i = 0; i < 10*count; i++) { |
| 6161 | 640 | test_ecdsa_sign_verify(); | |
| 6162 | } | ||
| 6163 | 1 | } | |
| 6164 | |||
| 6165 | /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */ | ||
| 6166 | 6 | static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { | |
| 6167 | 6 | (void)msg32; | |
| 6168 | 6 | (void)key32; | |
| 6169 | 6 | (void)algo16; | |
| 6170 | 6 | memcpy(nonce32, data, 32); | |
| 6171 | 6 | return (counter == 0); | |
| 6172 | } | ||
| 6173 | |||
| 6174 | 2 | static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { | |
| 6175 | /* Dummy nonce generator that has a fatal error on the first counter value. */ | ||
| 6176 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | if (counter == 0) { |
| 6177 | return 0; | ||
| 6178 | } | ||
| 6179 | ✗ | return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1); | |
| 6180 | } | ||
| 6181 | |||
| 6182 | 12 | static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { | |
| 6183 | /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */ | ||
| 6184 |
2/2✓ Branch 0 taken 6 times.
✓ Branch 1 taken 6 times.
|
12 | if (counter < 3) { |
| 6185 |
2/2✓ Branch 0 taken 4 times.
✓ Branch 1 taken 2 times.
|
6 | memset(nonce32, counter==0 ? 0 : 255, 32); |
| 6186 |
2/2✓ Branch 0 taken 2 times.
✓ Branch 1 taken 4 times.
|
6 | if (counter == 2) { |
| 6187 | 2 | nonce32[31]--; | |
| 6188 | } | ||
| 6189 | 6 | return 1; | |
| 6190 | } | ||
| 6191 |
2/2✓ Branch 0 taken 4 times.
✓ Branch 1 taken 2 times.
|
6 | if (counter < 5) { |
| 6192 | 4 | static const unsigned char order[] = { | |
| 6193 | 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, | ||
| 6194 | 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, | ||
| 6195 | 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, | ||
| 6196 | 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41 | ||
| 6197 | }; | ||
| 6198 | 4 | memcpy(nonce32, order, 32); | |
| 6199 |
2/2✓ Branch 0 taken 2 times.
✓ Branch 1 taken 2 times.
|
4 | if (counter == 4) { |
| 6200 | 2 | nonce32[31]++; | |
| 6201 | } | ||
| 6202 | 4 | return 1; | |
| 6203 | } | ||
| 6204 | /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */ | ||
| 6205 | /* If someone does fine a case where it retries for secp256k1, we'd like to know. */ | ||
| 6206 |
1/2✓ Branch 0 taken 2 times.
✗ Branch 1 not taken.
|
2 | if (counter > 5) { |
| 6207 | return 0; | ||
| 6208 | } | ||
| 6209 | 2 | return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); | |
| 6210 | } | ||
| 6211 | |||
| 6212 | 1036 | int is_empty_signature(const secp256k1_ecdsa_signature *sig) { | |
| 6213 | 1036 | static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0}; | |
| 6214 | 1036 | return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0; | |
| 6215 | } | ||
| 6216 | |||
| 6217 | 4096 | void test_ecdsa_end_to_end(void) { | |
| 6218 | 4096 | unsigned char extra[32] = {0x00}; | |
| 6219 | 4096 | unsigned char privkey[32]; | |
| 6220 | 4096 | unsigned char message[32]; | |
| 6221 | 4096 | unsigned char privkey2[32]; | |
| 6222 | 4096 | secp256k1_ecdsa_signature signature[6]; | |
| 6223 | 4096 | secp256k1_scalar r, s; | |
| 6224 | 4096 | unsigned char sig[74]; | |
| 6225 | 4096 | size_t siglen = 74; | |
| 6226 | 4096 | unsigned char pubkeyc[65]; | |
| 6227 | 4096 | size_t pubkeyclen = 65; | |
| 6228 | 4096 | secp256k1_pubkey pubkey; | |
| 6229 | 4096 | secp256k1_pubkey pubkey_tmp; | |
| 6230 | 4096 | unsigned char seckey[300]; | |
| 6231 | 4096 | size_t seckeylen = 300; | |
| 6232 | |||
| 6233 | /* Generate a random key and message. */ | ||
| 6234 | { | ||
| 6235 | 4096 | secp256k1_scalar msg, key; | |
| 6236 | 4096 | random_scalar_order_test(&msg); | |
| 6237 | 4096 | random_scalar_order_test(&key); | |
| 6238 | 4096 | secp256k1_scalar_get_b32(privkey, &key); | |
| 6239 | 4096 | secp256k1_scalar_get_b32(message, &msg); | |
| 6240 | } | ||
| 6241 | |||
| 6242 | /* Construct and verify corresponding public key. */ | ||
| 6243 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
|
4096 | CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1); |
| 6244 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
|
4096 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); |
| 6245 | |||
| 6246 | /* Verify exporting and importing public key. */ | ||
| 6247 |
3/4✓ Branch 1 taken 2091 times.
✓ Branch 2 taken 2005 times.
✗ Branch 4 not taken.
✓ Branch 5 taken 4096 times.
|
6187 | CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); |
| 6248 | 4096 | memset(&pubkey, 0, sizeof(pubkey)); | |
| 6249 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
|
4096 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); |
| 6250 | |||
| 6251 | /* Verify negation changes the key and changes it back */ | ||
| 6252 | 4096 | memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey)); | |
| 6253 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
|
4096 | CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); |
| 6254 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4096 times.
|
4096 | CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); |
| 6255 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
|
4096 | CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); |
| 6256 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4096 times.
|
4096 | CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); |
| 6257 | |||
| 6258 | /* Verify private key import and export. */ | ||
| 6259 |
1/2✗ Branch 2 not taken.
✓ Branch 3 taken 4096 times.
|
4096 | CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1)); |
| 6260 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
|
4096 | CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1); |
| 6261 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4096 times.
|
4096 | CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0); |
| 6262 | |||
| 6263 | /* Optionally tweak the keys using addition. */ | ||
| 6264 |
2/2✓ Branch 1 taken 1409 times.
✓ Branch 2 taken 2687 times.
|
4096 | if (secp256k1_testrand_int(3) == 0) { |
| 6265 | 1409 | int ret1; | |
| 6266 | 1409 | int ret2; | |
| 6267 | 1409 | int ret3; | |
| 6268 | 1409 | unsigned char rnd[32]; | |
| 6269 | 1409 | unsigned char privkey_tmp[32]; | |
| 6270 | 1409 | secp256k1_pubkey pubkey2; | |
| 6271 | 1409 | secp256k1_testrand256_test(rnd); | |
| 6272 | 1409 | memcpy(privkey_tmp, privkey, 32); | |
| 6273 | 1409 | ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd); | |
| 6274 | 1409 | ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd); | |
| 6275 | /* Check that privkey alias gives same result */ | ||
| 6276 | 1409 | ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd); | |
| 6277 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1409 times.
|
1409 | CHECK(ret1 == ret2); |
| 6278 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1409 times.
|
1409 | CHECK(ret2 == ret3); |
| 6279 |
2/2✓ Branch 0 taken 19 times.
✓ Branch 1 taken 1390 times.
|
1409 | if (ret1 == 0) { |
| 6280 | 19 | return; | |
| 6281 | } | ||
| 6282 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1390 times.
|
1390 | CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0); |
| 6283 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1390 times.
|
1390 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); |
| 6284 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1390 times.
|
1390 | CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); |
| 6285 | } | ||
| 6286 | |||
| 6287 | /* Optionally tweak the keys using multiplication. */ | ||
| 6288 |
2/2✓ Branch 1 taken 1329 times.
✓ Branch 2 taken 2748 times.
|
4077 | if (secp256k1_testrand_int(3) == 0) { |
| 6289 | 1329 | int ret1; | |
| 6290 | 1329 | int ret2; | |
| 6291 | 1329 | int ret3; | |
| 6292 | 1329 | unsigned char rnd[32]; | |
| 6293 | 1329 | unsigned char privkey_tmp[32]; | |
| 6294 | 1329 | secp256k1_pubkey pubkey2; | |
| 6295 | 1329 | secp256k1_testrand256_test(rnd); | |
| 6296 | 1329 | memcpy(privkey_tmp, privkey, 32); | |
| 6297 | 1329 | ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd); | |
| 6298 | 1329 | ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd); | |
| 6299 | /* Check that privkey alias gives same result */ | ||
| 6300 | 1329 | ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd); | |
| 6301 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1329 times.
|
1329 | CHECK(ret1 == ret2); |
| 6302 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1329 times.
|
1329 | CHECK(ret2 == ret3); |
| 6303 |
2/2✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1319 times.
|
1329 | if (ret1 == 0) { |
| 6304 | 10 | return; | |
| 6305 | } | ||
| 6306 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1319 times.
|
1319 | CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0); |
| 6307 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1319 times.
|
1319 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); |
| 6308 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1319 times.
|
1319 | CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); |
| 6309 | } | ||
| 6310 | |||
| 6311 | /* Sign. */ | ||
| 6312 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); |
| 6313 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1); |
| 6314 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1); |
| 6315 | 4067 | extra[31] = 1; | |
| 6316 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1); |
| 6317 | 4067 | extra[31] = 0; | |
| 6318 | 4067 | extra[0] = 1; | |
| 6319 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1); |
| 6320 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0); |
| 6321 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0); |
| 6322 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0); |
| 6323 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0); |
| 6324 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0); |
| 6325 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0); |
| 6326 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0); |
| 6327 | /* Verify. */ | ||
| 6328 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); |
| 6329 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1); |
| 6330 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1); |
| 6331 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1); |
| 6332 | /* Test lower-S form, malleate, verify and fail, test again, malleate again */ | ||
| 6333 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0])); |
| 6334 | 4067 | secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]); | |
| 6335 | 4067 | secp256k1_scalar_negate(&s, &s); | |
| 6336 | 4067 | secp256k1_ecdsa_signature_save(&signature[5], &r, &s); | |
| 6337 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0); |
| 6338 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); |
| 6339 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); |
| 6340 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); |
| 6341 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); |
| 6342 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); |
| 6343 | 4067 | secp256k1_scalar_negate(&s, &s); | |
| 6344 | 4067 | secp256k1_ecdsa_signature_save(&signature[5], &r, &s); | |
| 6345 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); |
| 6346 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); |
| 6347 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
|
4067 | CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0); |
| 6348 | |||
| 6349 | /* Serialize/parse DER and verify again */ | ||
| 6350 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); |
| 6351 | 4067 | memset(&signature[0], 0, sizeof(signature[0])); | |
| 6352 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1); |
| 6353 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); |
| 6354 | /* Serialize/destroy/parse DER and verify again. */ | ||
| 6355 | 4067 | siglen = 74; | |
| 6356 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
|
4067 | CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); |
| 6357 | 4067 | sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255); | |
| 6358 |
3/4✓ Branch 1 taken 3677 times.
✓ Branch 2 taken 390 times.
✗ Branch 4 not taken.
✓ Branch 5 taken 3677 times.
|
4067 | CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 || |
| 6359 | secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0); | ||
| 6360 | } | ||
| 6361 | |||
| 6362 | 640 | void test_random_pubkeys(void) { | |
| 6363 | 640 | secp256k1_ge elem; | |
| 6364 | 640 | secp256k1_ge elem2; | |
| 6365 | 640 | unsigned char in[65]; | |
| 6366 | /* Generate some randomly sized pubkeys. */ | ||
| 6367 |
2/2✓ Branch 1 taken 490 times.
✓ Branch 2 taken 150 times.
|
640 | size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33; |
| 6368 |
2/2✓ Branch 1 taken 161 times.
✓ Branch 2 taken 479 times.
|
640 | if (secp256k1_testrand_bits(2) == 0) { |
| 6369 | 161 | len = secp256k1_testrand_bits(6); | |
| 6370 | } | ||
| 6371 |
2/2✓ Branch 0 taken 114 times.
✓ Branch 1 taken 526 times.
|
640 | if (len == 65) { |
| 6372 |
4/4✓ Branch 1 taken 55 times.
✓ Branch 2 taken 59 times.
✓ Branch 4 taken 31 times.
✓ Branch 5 taken 24 times.
|
145 | in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7); |
| 6373 | } else { | ||
| 6374 |
2/2✓ Branch 1 taken 248 times.
✓ Branch 2 taken 278 times.
|
774 | in[0] = secp256k1_testrand_bits(1) ? 2 : 3; |
| 6375 | } | ||
| 6376 |
2/2✓ Branch 1 taken 82 times.
✓ Branch 2 taken 558 times.
|
640 | if (secp256k1_testrand_bits(3) == 0) { |
| 6377 | 82 | in[0] = secp256k1_testrand_bits(8); | |
| 6378 | } | ||
| 6379 |
2/2✓ Branch 0 taken 637 times.
✓ Branch 1 taken 3 times.
|
640 | if (len > 1) { |
| 6380 | 637 | secp256k1_testrand256(&in[1]); | |
| 6381 | } | ||
| 6382 |
2/2✓ Branch 0 taken 193 times.
✓ Branch 1 taken 444 times.
|
637 | if (len > 33) { |
| 6383 | 193 | secp256k1_testrand256(&in[33]); | |
| 6384 | } | ||
| 6385 |
2/2✓ Branch 1 taken 168 times.
✓ Branch 2 taken 472 times.
|
640 | if (secp256k1_eckey_pubkey_parse(&elem, in, len)) { |
| 6386 | 168 | unsigned char out[65]; | |
| 6387 | 168 | unsigned char firstb; | |
| 6388 | 168 | int res; | |
| 6389 | 168 | size_t size = len; | |
| 6390 | 168 | firstb = in[0]; | |
| 6391 | /* If the pubkey can be parsed, it should round-trip... */ | ||
| 6392 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 168 times.
|
168 | CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33)); |
| 6393 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
|
168 | CHECK(size == len); |
| 6394 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
|
336 | CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0); |
| 6395 | /* ... except for the type of hybrid inputs. */ | ||
| 6396 |
1/2✓ Branch 0 taken 168 times.
✗ Branch 1 not taken.
|
168 | if ((in[0] != 6) && (in[0] != 7)) { |
| 6397 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
|
168 | CHECK(in[0] == out[0]); |
| 6398 | } | ||
| 6399 | 168 | size = 65; | |
| 6400 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 168 times.
|
168 | CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0)); |
| 6401 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
|
168 | CHECK(size == 65); |
| 6402 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 168 times.
|
168 | CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size)); |
| 6403 | 168 | ge_equals_ge(&elem,&elem2); | |
| 6404 | /* Check that the X9.62 hybrid type is checked. */ | ||
| 6405 |
2/2✓ Branch 1 taken 77 times.
✓ Branch 2 taken 91 times.
|
168 | in[0] = secp256k1_testrand_bits(1) ? 6 : 7; |
| 6406 | 168 | res = secp256k1_eckey_pubkey_parse(&elem2, in, size); | |
| 6407 |
1/2✓ Branch 0 taken 168 times.
✗ Branch 1 not taken.
|
168 | if (firstb == 2 || firstb == 3) { |
| 6408 |
2/2✓ Branch 0 taken 78 times.
✓ Branch 1 taken 90 times.
|
168 | if (in[0] == firstb + 4) { |
| 6409 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 78 times.
|
78 | CHECK(res); |
| 6410 | } else { | ||
| 6411 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 90 times.
|
90 | CHECK(!res); |
| 6412 | } | ||
| 6413 | } | ||
| 6414 |
2/2✓ Branch 0 taken 78 times.
✓ Branch 1 taken 90 times.
|
168 | if (res) { |
| 6415 | 78 | ge_equals_ge(&elem,&elem2); | |
| 6416 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 78 times.
|
78 | CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0)); |
| 6417 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 78 times.
|
168 | CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0); |
| 6418 | } | ||
| 6419 | } | ||
| 6420 | 640 | } | |
| 6421 | |||
| 6422 | 1 | void run_pubkey_comparison(void) { | |
| 6423 | 1 | unsigned char pk1_ser[33] = { | |
| 6424 | 0x02, | ||
| 6425 | 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11, | ||
| 6426 | 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23 | ||
| 6427 | }; | ||
| 6428 | 1 | const unsigned char pk2_ser[33] = { | |
| 6429 | 0x02, | ||
| 6430 | 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d, | ||
| 6431 | 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c | ||
| 6432 | }; | ||
| 6433 | 1 | secp256k1_pubkey pk1; | |
| 6434 | 1 | secp256k1_pubkey pk2; | |
| 6435 | 1 | int32_t ecount = 0; | |
| 6436 | |||
| 6437 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1); |
| 6438 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1); |
| 6439 | |||
| 6440 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); |
| 6441 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0); |
| 6442 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 6443 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0); |
| 6444 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6445 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0); |
| 6446 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0); |
| 6447 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0); |
| 6448 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0); |
| 6449 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6450 | { | ||
| 6451 | 1 | secp256k1_pubkey pk_tmp; | |
| 6452 | 1 | memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */ | |
| 6453 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0); |
| 6454 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 6455 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0); |
| 6456 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 5); |
| 6457 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0); |
| 6458 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 6); |
| 6459 | } | ||
| 6460 | |||
| 6461 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, NULL, NULL); |
| 6462 | |||
| 6463 | /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in | ||
| 6464 | * an uncompressed encoding, these would have the opposite ordering */ | ||
| 6465 | 1 | pk1_ser[0] = 3; | |
| 6466 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1); |
| 6467 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0); |
| 6468 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0); |
| 6469 | 1 | } | |
| 6470 | |||
| 6471 | 1 | void run_random_pubkeys(void) { | |
| 6472 | 1 | int i; | |
| 6473 |
2/2✓ Branch 0 taken 640 times.
✓ Branch 1 taken 1 times.
|
641 | for (i = 0; i < 10*count; i++) { |
| 6474 | 640 | test_random_pubkeys(); | |
| 6475 | } | ||
| 6476 | 1 | } | |
| 6477 | |||
| 6478 | 1 | void run_ecdsa_end_to_end(void) { | |
| 6479 | 1 | int i; | |
| 6480 |
2/2✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 1 times.
|
4097 | for (i = 0; i < 64*count; i++) { |
| 6481 | 4096 | test_ecdsa_end_to_end(); | |
| 6482 | } | ||
| 6483 | 1 | } | |
| 6484 | |||
| 6485 | 204800 | int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) { | |
| 6486 | 204800 | static const unsigned char zeroes[32] = {0}; | |
| 6487 | |||
| 6488 | 204800 | int ret = 0; | |
| 6489 | |||
| 6490 | 204800 | secp256k1_ecdsa_signature sig_der; | |
| 6491 | 204800 | unsigned char roundtrip_der[2048]; | |
| 6492 | 204800 | unsigned char compact_der[64]; | |
| 6493 | 204800 | size_t len_der = 2048; | |
| 6494 | 204800 | int parsed_der = 0, valid_der = 0, roundtrips_der = 0; | |
| 6495 | |||
| 6496 | 204800 | secp256k1_ecdsa_signature sig_der_lax; | |
| 6497 | 204800 | unsigned char roundtrip_der_lax[2048]; | |
| 6498 | 204800 | unsigned char compact_der_lax[64]; | |
| 6499 | 204800 | size_t len_der_lax = 2048; | |
| 6500 | 204800 | int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0; | |
| 6501 | |||
| 6502 | 204800 | parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen); | |
| 6503 |
2/2✓ Branch 0 taken 9897 times.
✓ Branch 1 taken 194903 times.
|
204800 | if (parsed_der) { |
| 6504 | 9897 | ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0; | |
| 6505 |
4/4✓ Branch 0 taken 9486 times.
✓ Branch 1 taken 411 times.
✓ Branch 2 taken 9063 times.
✓ Branch 3 taken 423 times.
|
29280 | valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0); |
| 6506 | } | ||
| 6507 | 9063 | if (valid_der) { | |
| 6508 |
1/2✓ Branch 1 taken 9063 times.
✗ Branch 2 not taken.
|
9063 | ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1; |
| 6509 |
2/4✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 9063 times.
|
18126 | roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0; |
| 6510 | } | ||
| 6511 | |||
| 6512 | 204800 | parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen); | |
| 6513 |
2/2✓ Branch 0 taken 23280 times.
✓ Branch 1 taken 181520 times.
|
204800 | if (parsed_der_lax) { |
| 6514 |
1/2✓ Branch 1 taken 23280 times.
✗ Branch 2 not taken.
|
23280 | ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10; |
| 6515 |
4/4✓ Branch 0 taken 19945 times.
✓ Branch 1 taken 3335 times.
✓ Branch 2 taken 18782 times.
✓ Branch 3 taken 1163 times.
|
66505 | valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0); |
| 6516 | } | ||
| 6517 | 18782 | if (valid_der_lax) { | |
| 6518 |
1/2✓ Branch 1 taken 18782 times.
✗ Branch 2 not taken.
|
18782 | ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; |
| 6519 |
4/4✓ Branch 0 taken 9586 times.
✓ Branch 1 taken 9196 times.
✓ Branch 2 taken 523 times.
✓ Branch 3 taken 9063 times.
|
28368 | roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0; |
| 6520 | } | ||
| 6521 | |||
| 6522 |
2/2✓ Branch 0 taken 3266 times.
✓ Branch 1 taken 201534 times.
|
204800 | if (certainly_der) { |
| 6523 |
1/2✓ Branch 0 taken 3266 times.
✗ Branch 1 not taken.
|
6532 | ret |= (!parsed_der) << 2; |
| 6524 | } | ||
| 6525 |
2/2✓ Branch 0 taken 9534 times.
✓ Branch 1 taken 195266 times.
|
204800 | if (certainly_not_der) { |
| 6526 | 9534 | ret |= (parsed_der) << 17; | |
| 6527 | } | ||
| 6528 |
2/2✓ Branch 0 taken 9063 times.
✓ Branch 1 taken 195737 times.
|
204800 | if (valid_der) { |
| 6529 |
1/2✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
|
9063 | ret |= (!roundtrips_der) << 3; |
| 6530 | } | ||
| 6531 | |||
| 6532 | 9063 | if (valid_der) { | |
| 6533 |
1/2✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
|
9063 | ret |= (!roundtrips_der_lax) << 12; |
| 6534 |
1/2✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
|
9063 | ret |= (len_der != len_der_lax) << 13; |
| 6535 |
2/4✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 9063 times.
|
18126 | ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14; |
| 6536 | } | ||
| 6537 |
1/2✓ Branch 0 taken 204800 times.
✗ Branch 1 not taken.
|
204800 | ret |= (roundtrips_der != roundtrips_der_lax) << 15; |
| 6538 |
2/2✓ Branch 0 taken 9897 times.
✓ Branch 1 taken 194903 times.
|
204800 | if (parsed_der) { |
| 6539 |
1/2✓ Branch 0 taken 9897 times.
✗ Branch 1 not taken.
|
19794 | ret |= (!parsed_der_lax) << 16; |
| 6540 | } | ||
| 6541 | |||
| 6542 | 204800 | return ret; | |
| 6543 | } | ||
| 6544 | |||
| 6545 | 23448 | static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) { | |
| 6546 | 23448 | size_t i; | |
| 6547 |
2/2✓ Branch 0 taken 376310 times.
✓ Branch 1 taken 23448 times.
|
399758 | for (i = 0; i < ptrlen; i++) { |
| 6548 | 376310 | int shift = ptrlen - 1 - i; | |
| 6549 |
2/2✓ Branch 0 taken 294774 times.
✓ Branch 1 taken 81536 times.
|
376310 | if (shift >= 4) { |
| 6550 | 294774 | ptr[i] = 0; | |
| 6551 | } else { | ||
| 6552 | 81536 | ptr[i] = (val >> shift) & 0xFF; | |
| 6553 | } | ||
| 6554 | } | ||
| 6555 | 23448 | } | |
| 6556 | |||
| 6557 | 192000 | static void damage_array(unsigned char *sig, size_t *len) { | |
| 6558 | 192000 | int pos; | |
| 6559 | 192000 | int action = secp256k1_testrand_bits(3); | |
| 6560 |
3/4✓ Branch 0 taken 24131 times.
✓ Branch 1 taken 167869 times.
✓ Branch 2 taken 24131 times.
✗ Branch 3 not taken.
|
192000 | if (action < 1 && *len > 3) { |
| 6561 | /* Delete a byte. */ | ||
| 6562 | 24131 | pos = secp256k1_testrand_int(*len); | |
| 6563 | 24131 | memmove(sig + pos, sig + pos + 1, *len - pos - 1); | |
| 6564 | 24131 | (*len)--; | |
| 6565 | 24131 | return; | |
| 6566 |
3/4✓ Branch 0 taken 23896 times.
✓ Branch 1 taken 143973 times.
✓ Branch 2 taken 23896 times.
✗ Branch 3 not taken.
|
167869 | } else if (action < 2 && *len < 2048) { |
| 6567 | /* Insert a byte. */ | ||
| 6568 | 23896 | pos = secp256k1_testrand_int(1 + *len); | |
| 6569 | 23896 | memmove(sig + pos + 1, sig + pos, *len - pos); | |
| 6570 | 23896 | sig[pos] = secp256k1_testrand_bits(8); | |
| 6571 | 23896 | (*len)++; | |
| 6572 | 23896 | return; | |
| 6573 |
2/2✓ Branch 0 taken 48233 times.
✓ Branch 1 taken 95740 times.
|
143973 | } else if (action < 4) { |
| 6574 | /* Modify a byte. */ | ||
| 6575 | 48233 | sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255); | |
| 6576 | 48233 | return; | |
| 6577 | } else { /* action < 8 */ | ||
| 6578 | /* Modify a bit. */ | ||
| 6579 | 95740 | sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3); | |
| 6580 | 95740 | return; | |
| 6581 | } | ||
| 6582 | } | ||
| 6583 | |||
| 6584 | 12800 | static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) { | |
| 6585 | 12800 | int der; | |
| 6586 | 12800 | int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2]; | |
| 6587 | 12800 | size_t tlen, elen, glen; | |
| 6588 | 12800 | int indet; | |
| 6589 | 12800 | int n; | |
| 6590 | |||
| 6591 | 12800 | *len = 0; | |
| 6592 | 12800 | der = secp256k1_testrand_bits(2) == 0; | |
| 6593 | 12800 | *certainly_der = der; | |
| 6594 | 12800 | *certainly_not_der = 0; | |
| 6595 |
4/4✓ Branch 0 taken 9534 times.
✓ Branch 1 taken 3266 times.
✓ Branch 3 taken 8606 times.
✓ Branch 4 taken 928 times.
|
12800 | indet = der ? 0 : secp256k1_testrand_int(10) == 0; |
| 6596 | |||
| 6597 |
2/2✓ Branch 0 taken 25600 times.
✓ Branch 1 taken 12800 times.
|
38400 | for (n = 0; n < 2; n++) { |
| 6598 | /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */ | ||
| 6599 |
4/4✓ Branch 0 taken 19068 times.
✓ Branch 1 taken 6532 times.
✓ Branch 3 taken 16747 times.
✓ Branch 4 taken 2321 times.
|
25600 | nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0); |
| 6600 | /* The length of the number in bytes (the first byte of which will always be nonzero) */ | ||
| 6601 |
2/2✓ Branch 0 taken 23279 times.
✓ Branch 1 taken 2321 times.
|
25600 | nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8; |
| 6602 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 25600 times.
|
25600 | CHECK(nlen[n] <= 232); |
| 6603 | /* The top bit of the number. */ | ||
| 6604 |
6/6✓ Branch 0 taken 2321 times.
✓ Branch 1 taken 23279 times.
✓ Branch 2 taken 1991 times.
✓ Branch 3 taken 330 times.
✓ Branch 4 taken 24578 times.
✓ Branch 5 taken 692 times.
|
25600 | nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1)); |
| 6605 | /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */ | ||
| 6606 |
4/4✓ Branch 0 taken 24908 times.
✓ Branch 1 taken 692 times.
✓ Branch 2 taken 12528 times.
✓ Branch 3 taken 12380 times.
|
25600 | nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127)); |
| 6607 | /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */ | ||
| 6608 |
8/8✓ Branch 0 taken 6532 times.
✓ Branch 1 taken 19068 times.
✓ Branch 2 taken 6355 times.
✓ Branch 3 taken 177 times.
✓ Branch 4 taken 3154 times.
✓ Branch 5 taken 3201 times.
✓ Branch 6 taken 16747 times.
✓ Branch 7 taken 2321 times.
|
25600 | nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8); |
| 6609 |
6/6✓ Branch 0 taken 24908 times.
✓ Branch 1 taken 692 times.
✓ Branch 2 taken 12528 times.
✓ Branch 3 taken 12380 times.
✓ Branch 4 taken 10367 times.
✓ Branch 5 taken 15233 times.
|
38820 | if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) { |
| 6610 | 10367 | *certainly_not_der = 1; | |
| 6611 | } | ||
| 6612 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 25600 times.
|
25600 | CHECK(nlen[n] + nzlen[n] <= 300); |
| 6613 | /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */ | ||
| 6614 |
4/4✓ Branch 0 taken 1039 times.
✓ Branch 1 taken 24561 times.
✓ Branch 2 taken 31 times.
✓ Branch 3 taken 1008 times.
|
25600 | nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2); |
| 6615 |
2/2✓ Branch 0 taken 19068 times.
✓ Branch 1 taken 6532 times.
|
25600 | if (!der) { |
| 6616 | /* nlenlen[n] max 127 bytes */ | ||
| 6617 | 19068 | int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256; | |
| 6618 | 19068 | nlenlen[n] += add; | |
| 6619 |
2/2✓ Branch 0 taken 15075 times.
✓ Branch 1 taken 3993 times.
|
19068 | if (add != 0) { |
| 6620 | 15075 | *certainly_not_der = 1; | |
| 6621 | } | ||
| 6622 | } | ||
| 6623 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 25600 times.
|
25600 | CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427); |
| 6624 | } | ||
| 6625 | |||
| 6626 | /* The total length of the data to go, so far */ | ||
| 6627 | 12800 | tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1]; | |
| 6628 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | CHECK(tlen <= 856); |
| 6629 | |||
| 6630 | /* The length of the garbage inside the tuple. */ | ||
| 6631 |
2/2✓ Branch 0 taken 8606 times.
✓ Branch 1 taken 4194 times.
|
12800 | elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8; |
| 6632 |
2/2✓ Branch 0 taken 1121 times.
✓ Branch 1 taken 7485 times.
|
8606 | if (elen != 0) { |
| 6633 | 7485 | *certainly_not_der = 1; | |
| 6634 | } | ||
| 6635 | 12800 | tlen += elen; | |
| 6636 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | CHECK(tlen <= 980); |
| 6637 | |||
| 6638 | /* The length of the garbage after the end of the tuple. */ | ||
| 6639 |
2/2✓ Branch 0 taken 9534 times.
✓ Branch 1 taken 3266 times.
|
12800 | glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8; |
| 6640 |
2/2✓ Branch 0 taken 1278 times.
✓ Branch 1 taken 8256 times.
|
9534 | if (glen != 0) { |
| 6641 | 8256 | *certainly_not_der = 1; | |
| 6642 | } | ||
| 6643 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | CHECK(tlen + glen <= 990); |
| 6644 | |||
| 6645 | /* Write the tuple header. */ | ||
| 6646 | 12800 | sig[(*len)++] = 0x30; | |
| 6647 |
2/2✓ Branch 0 taken 928 times.
✓ Branch 1 taken 11872 times.
|
12800 | if (indet) { |
| 6648 | /* Indeterminate length */ | ||
| 6649 | 928 | sig[(*len)++] = 0x80; | |
| 6650 | 928 | *certainly_not_der = 1; | |
| 6651 | } else { | ||
| 6652 |
4/4✓ Branch 0 taken 6486 times.
✓ Branch 1 taken 5386 times.
✓ Branch 2 taken 3995 times.
✓ Branch 3 taken 2491 times.
|
11872 | int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2); |
| 6653 |
2/2✓ Branch 0 taken 8606 times.
✓ Branch 1 taken 3266 times.
|
11872 | if (!der) { |
| 6654 | 8606 | int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256; | |
| 6655 | 8606 | tlenlen += add; | |
| 6656 |
2/2✓ Branch 0 taken 1825 times.
✓ Branch 1 taken 6781 times.
|
8606 | if (add != 0) { |
| 6657 | 6781 | *certainly_not_der = 1; | |
| 6658 | } | ||
| 6659 | } | ||
| 6660 |
2/2✓ Branch 0 taken 3717 times.
✓ Branch 1 taken 8155 times.
|
11872 | if (tlenlen == 0) { |
| 6661 | /* Short length notation */ | ||
| 6662 | 3717 | sig[(*len)++] = tlen; | |
| 6663 | } else { | ||
| 6664 | /* Long length notation */ | ||
| 6665 | 8155 | sig[(*len)++] = 128 + tlenlen; | |
| 6666 | 8155 | assign_big_endian(sig + *len, tlenlen, tlen); | |
| 6667 | 8155 | *len += tlenlen; | |
| 6668 | } | ||
| 6669 | 11872 | tlen += tlenlen; | |
| 6670 | } | ||
| 6671 | 12800 | tlen += 2; | |
| 6672 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | CHECK(tlen + glen <= 1119); |
| 6673 | |||
| 6674 |
2/2✓ Branch 0 taken 25600 times.
✓ Branch 1 taken 12800 times.
|
38400 | for (n = 0; n < 2; n++) { |
| 6675 | /* Write the integer header. */ | ||
| 6676 | 25600 | sig[(*len)++] = 0x02; | |
| 6677 |
2/2✓ Branch 0 taken 10307 times.
✓ Branch 1 taken 15293 times.
|
25600 | if (nlenlen[n] == 0) { |
| 6678 | /* Short length notation */ | ||
| 6679 | 10307 | sig[(*len)++] = nlen[n] + nzlen[n]; | |
| 6680 | } else { | ||
| 6681 | /* Long length notation. */ | ||
| 6682 | 15293 | sig[(*len)++] = 128 + nlenlen[n]; | |
| 6683 | 15293 | assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]); | |
| 6684 | 15293 | *len += nlenlen[n]; | |
| 6685 | } | ||
| 6686 | /* Write zero padding */ | ||
| 6687 |
2/2✓ Branch 0 taken 134922 times.
✓ Branch 1 taken 25600 times.
|
160522 | while (nzlen[n] > 0) { |
| 6688 | 134922 | sig[(*len)++] = 0x00; | |
| 6689 | 134922 | nzlen[n]--; | |
| 6690 | } | ||
| 6691 |
4/4✓ Branch 0 taken 1058 times.
✓ Branch 1 taken 24542 times.
✓ Branch 2 taken 330 times.
✓ Branch 3 taken 728 times.
|
25600 | if (nlen[n] == 32 && !nlow[n]) { |
| 6692 | /* Special extra 16 0xFF bytes in "high" 32-byte numbers */ | ||
| 6693 | int i; | ||
| 6694 |
2/2✓ Branch 0 taken 5280 times.
✓ Branch 1 taken 330 times.
|
5610 | for (i = 0; i < 16; i++) { |
| 6695 | 5280 | sig[(*len)++] = 0xFF; | |
| 6696 | } | ||
| 6697 | 330 | nlen[n] -= 16; | |
| 6698 | } | ||
| 6699 | /* Write first byte of number */ | ||
| 6700 |
2/2✓ Branch 0 taken 24908 times.
✓ Branch 1 taken 692 times.
|
25600 | if (nlen[n] > 0) { |
| 6701 | 24908 | sig[(*len)++] = nhbyte[n]; | |
| 6702 | 24908 | nlen[n]--; | |
| 6703 | } | ||
| 6704 | /* Generate remaining random bytes of number */ | ||
| 6705 | 25600 | secp256k1_testrand_bytes_test(sig + *len, nlen[n]); | |
| 6706 | 25600 | *len += nlen[n]; | |
| 6707 | 25600 | nlen[n] = 0; | |
| 6708 | } | ||
| 6709 | |||
| 6710 | /* Generate random garbage inside tuple. */ | ||
| 6711 | 12800 | secp256k1_testrand_bytes_test(sig + *len, elen); | |
| 6712 | 12800 | *len += elen; | |
| 6713 | |||
| 6714 | /* Generate end-of-contents bytes. */ | ||
| 6715 |
2/2✓ Branch 0 taken 928 times.
✓ Branch 1 taken 11872 times.
|
12800 | if (indet) { |
| 6716 | 928 | sig[(*len)++] = 0; | |
| 6717 | 928 | sig[(*len)++] = 0; | |
| 6718 | 928 | tlen += 2; | |
| 6719 | } | ||
| 6720 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | CHECK(tlen + glen <= 1121); |
| 6721 | |||
| 6722 | /* Generate random garbage outside tuple. */ | ||
| 6723 | 12800 | secp256k1_testrand_bytes_test(sig + *len, glen); | |
| 6724 | 12800 | *len += glen; | |
| 6725 | 12800 | tlen += glen; | |
| 6726 | 12800 | CHECK(tlen <= 1121); | |
| 6727 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | CHECK(tlen == *len); |
| 6728 | 12800 | } | |
| 6729 | |||
| 6730 | 1 | void run_ecdsa_der_parse(void) { | |
| 6731 | 1 | int i,j; | |
| 6732 |
2/2✓ Branch 0 taken 12800 times.
✓ Branch 1 taken 1 times.
|
12801 | for (i = 0; i < 200 * count; i++) { |
| 6733 | 12800 | unsigned char buffer[2048]; | |
| 6734 | 12800 | size_t buflen = 0; | |
| 6735 | 12800 | int certainly_der = 0; | |
| 6736 | 12800 | int certainly_not_der = 0; | |
| 6737 | 12800 | random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der); | |
| 6738 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
|
12800 | CHECK(buflen <= 2048); |
| 6739 |
2/2✓ Branch 0 taken 204800 times.
✓ Branch 1 taken 12800 times.
|
217600 | for (j = 0; j < 16; j++) { |
| 6740 | 204800 | int ret = 0; | |
| 6741 |
2/2✓ Branch 0 taken 192000 times.
✓ Branch 1 taken 12800 times.
|
204800 | if (j > 0) { |
| 6742 | 192000 | damage_array(buffer, &buflen); | |
| 6743 | /* We don't know anything anymore about the DERness of the result */ | ||
| 6744 | 192000 | certainly_der = 0; | |
| 6745 | 192000 | certainly_not_der = 0; | |
| 6746 | } | ||
| 6747 | 204800 | ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der); | |
| 6748 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 204800 times.
|
204800 | if (ret != 0) { |
| 6749 | ✗ | size_t k; | |
| 6750 | ✗ | fprintf(stderr, "Failure %x on ", ret); | |
| 6751 | ✗ | for (k = 0; k < buflen; k++) { | |
| 6752 | ✗ | fprintf(stderr, "%02x ", buffer[k]); | |
| 6753 | } | ||
| 6754 | ✗ | fprintf(stderr, "\n"); | |
| 6755 | } | ||
| 6756 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 204800 times.
|
204800 | CHECK(ret == 0); |
| 6757 | } | ||
| 6758 | } | ||
| 6759 | 1 | } | |
| 6760 | |||
| 6761 | /* Tests several edge cases. */ | ||
| 6762 | 1 | void test_ecdsa_edge_cases(void) { | |
| 6763 | 1 | int t; | |
| 6764 | 1 | secp256k1_ecdsa_signature sig; | |
| 6765 | |||
| 6766 | /* Test the case where ECDSA recomputes a point that is infinity. */ | ||
| 6767 | { | ||
| 6768 | 1 | secp256k1_gej keyj; | |
| 6769 | 1 | secp256k1_ge key; | |
| 6770 | 1 | secp256k1_scalar msg; | |
| 6771 | 1 | secp256k1_scalar sr, ss; | |
| 6772 | 1 | secp256k1_scalar_set_int(&ss, 1); | |
| 6773 | 1 | secp256k1_scalar_negate(&ss, &ss); | |
| 6774 | 1 | secp256k1_scalar_inverse(&ss, &ss); | |
| 6775 | 1 | secp256k1_scalar_set_int(&sr, 1); | |
| 6776 | 1 | secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr); | |
| 6777 | 1 | secp256k1_ge_set_gej(&key, &keyj); | |
| 6778 | 1 | msg = ss; | |
| 6779 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); |
| 6780 | } | ||
| 6781 | |||
| 6782 | /* Verify signature with r of zero fails. */ | ||
| 6783 | { | ||
| 6784 | 1 | const unsigned char pubkey_mods_zero[33] = { | |
| 6785 | 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 6786 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 6787 | 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, | ||
| 6788 | 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, | ||
| 6789 | 0x41 | ||
| 6790 | }; | ||
| 6791 | 1 | secp256k1_ge key; | |
| 6792 | 1 | secp256k1_scalar msg; | |
| 6793 | 1 | secp256k1_scalar sr, ss; | |
| 6794 | 1 | secp256k1_scalar_set_int(&ss, 1); | |
| 6795 | 1 | secp256k1_scalar_set_int(&msg, 0); | |
| 6796 | 1 | secp256k1_scalar_set_int(&sr, 0); | |
| 6797 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); |
| 6798 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0); |
| 6799 | } | ||
| 6800 | |||
| 6801 | /* Verify signature with s of zero fails. */ | ||
| 6802 | { | ||
| 6803 | 1 | const unsigned char pubkey[33] = { | |
| 6804 | 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6805 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6806 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6807 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6808 | 0x01 | ||
| 6809 | }; | ||
| 6810 | 1 | secp256k1_ge key; | |
| 6811 | 1 | secp256k1_scalar msg; | |
| 6812 | 1 | secp256k1_scalar sr, ss; | |
| 6813 | 1 | secp256k1_scalar_set_int(&ss, 0); | |
| 6814 | 1 | secp256k1_scalar_set_int(&msg, 0); | |
| 6815 | 1 | secp256k1_scalar_set_int(&sr, 1); | |
| 6816 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); |
| 6817 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); |
| 6818 | } | ||
| 6819 | |||
| 6820 | /* Verify signature with message 0 passes. */ | ||
| 6821 | { | ||
| 6822 | 1 | const unsigned char pubkey[33] = { | |
| 6823 | 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6824 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6825 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6826 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6827 | 0x02 | ||
| 6828 | }; | ||
| 6829 | 1 | const unsigned char pubkey2[33] = { | |
| 6830 | 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 6831 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 6832 | 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, | ||
| 6833 | 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, | ||
| 6834 | 0x43 | ||
| 6835 | }; | ||
| 6836 | 1 | secp256k1_ge key; | |
| 6837 | 1 | secp256k1_ge key2; | |
| 6838 | 1 | secp256k1_scalar msg; | |
| 6839 | 1 | secp256k1_scalar sr, ss; | |
| 6840 | 1 | secp256k1_scalar_set_int(&ss, 2); | |
| 6841 | 1 | secp256k1_scalar_set_int(&msg, 0); | |
| 6842 | 1 | secp256k1_scalar_set_int(&sr, 2); | |
| 6843 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); |
| 6844 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); |
| 6845 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); |
| 6846 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); |
| 6847 | 1 | secp256k1_scalar_negate(&ss, &ss); | |
| 6848 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); |
| 6849 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); |
| 6850 | 1 | secp256k1_scalar_set_int(&ss, 1); | |
| 6851 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); |
| 6852 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); |
| 6853 | } | ||
| 6854 | |||
| 6855 | /* Verify signature with message 1 passes. */ | ||
| 6856 | { | ||
| 6857 | 1 | const unsigned char pubkey[33] = { | |
| 6858 | 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22, | ||
| 6859 | 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05, | ||
| 6860 | 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c, | ||
| 6861 | 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76, | ||
| 6862 | 0x25 | ||
| 6863 | }; | ||
| 6864 | 1 | const unsigned char pubkey2[33] = { | |
| 6865 | 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40, | ||
| 6866 | 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae, | ||
| 6867 | 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f, | ||
| 6868 | 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10, | ||
| 6869 | 0x62 | ||
| 6870 | }; | ||
| 6871 | 1 | const unsigned char csr[32] = { | |
| 6872 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6873 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 6874 | 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, | ||
| 6875 | 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb | ||
| 6876 | }; | ||
| 6877 | 1 | secp256k1_ge key; | |
| 6878 | 1 | secp256k1_ge key2; | |
| 6879 | 1 | secp256k1_scalar msg; | |
| 6880 | 1 | secp256k1_scalar sr, ss; | |
| 6881 | 1 | secp256k1_scalar_set_int(&ss, 1); | |
| 6882 | 1 | secp256k1_scalar_set_int(&msg, 1); | |
| 6883 | 1 | secp256k1_scalar_set_b32(&sr, csr, NULL); | |
| 6884 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); |
| 6885 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); |
| 6886 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); |
| 6887 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); |
| 6888 | 1 | secp256k1_scalar_negate(&ss, &ss); | |
| 6889 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); |
| 6890 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); |
| 6891 | 1 | secp256k1_scalar_set_int(&ss, 2); | |
| 6892 | 1 | secp256k1_scalar_inverse_var(&ss, &ss); | |
| 6893 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); |
| 6894 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); |
| 6895 | } | ||
| 6896 | |||
| 6897 | /* Verify signature with message -1 passes. */ | ||
| 6898 | { | ||
| 6899 | 1 | const unsigned char pubkey[33] = { | |
| 6900 | 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0, | ||
| 6901 | 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52, | ||
| 6902 | 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27, | ||
| 6903 | 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20, | ||
| 6904 | 0xf1 | ||
| 6905 | }; | ||
| 6906 | 1 | const unsigned char csr[32] = { | |
| 6907 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6908 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 6909 | 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, | ||
| 6910 | 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee | ||
| 6911 | }; | ||
| 6912 | 1 | secp256k1_ge key; | |
| 6913 | 1 | secp256k1_scalar msg; | |
| 6914 | 1 | secp256k1_scalar sr, ss; | |
| 6915 | 1 | secp256k1_scalar_set_int(&ss, 1); | |
| 6916 | 1 | secp256k1_scalar_set_int(&msg, 1); | |
| 6917 | 1 | secp256k1_scalar_negate(&msg, &msg); | |
| 6918 | 1 | secp256k1_scalar_set_b32(&sr, csr, NULL); | |
| 6919 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); |
| 6920 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); |
| 6921 | 1 | secp256k1_scalar_negate(&ss, &ss); | |
| 6922 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); |
| 6923 | 1 | secp256k1_scalar_set_int(&ss, 3); | |
| 6924 | 1 | secp256k1_scalar_inverse_var(&ss, &ss); | |
| 6925 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); |
| 6926 | } | ||
| 6927 | |||
| 6928 | /* Signature where s would be zero. */ | ||
| 6929 | { | ||
| 6930 | 1 | secp256k1_pubkey pubkey; | |
| 6931 | 1 | size_t siglen; | |
| 6932 | 1 | int32_t ecount; | |
| 6933 | 1 | unsigned char signature[72]; | |
| 6934 | 1 | static const unsigned char nonce[32] = { | |
| 6935 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6936 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6937 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6938 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 6939 | }; | ||
| 6940 | 1 | static const unsigned char nonce2[32] = { | |
| 6941 | 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, | ||
| 6942 | 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, | ||
| 6943 | 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, | ||
| 6944 | 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40 | ||
| 6945 | }; | ||
| 6946 | 1 | const unsigned char key[32] = { | |
| 6947 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6948 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6949 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| 6950 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
| 6951 | }; | ||
| 6952 | 1 | unsigned char msg[32] = { | |
| 6953 | 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53, | ||
| 6954 | 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7, | ||
| 6955 | 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62, | ||
| 6956 | 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, | ||
| 6957 | }; | ||
| 6958 | 1 | ecount = 0; | |
| 6959 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); |
| 6960 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0); |
| 6961 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); |
| 6962 | 1 | msg[31] = 0xaa; | |
| 6963 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1); |
| 6964 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 0); |
| 6965 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0); |
| 6966 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 6967 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0); |
| 6968 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 6969 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0); |
| 6970 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 6971 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); |
| 6972 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1); |
| 6973 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0); |
| 6974 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 4); |
| 6975 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0); |
| 6976 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 5); |
| 6977 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0); |
| 6978 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 6); |
| 6979 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); |
| 6980 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 6); |
| 6981 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0); |
| 6982 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 7); |
| 6983 | /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */ | ||
| 6984 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0); |
| 6985 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 8); |
| 6986 | 1 | siglen = 72; | |
| 6987 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0); |
| 6988 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 9); |
| 6989 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0); |
| 6990 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 10); |
| 6991 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0); |
| 6992 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 11); |
| 6993 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1); |
| 6994 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 11); |
| 6995 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0); |
| 6996 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 12); |
| 6997 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0); |
| 6998 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 13); |
| 6999 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1); |
| 7000 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 13); |
| 7001 | 1 | siglen = 10; | |
| 7002 | /* Too little room for a signature does not fail via ARGCHECK. */ | ||
| 7003 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0); |
| 7004 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 13); |
| 7005 | 1 | ecount = 0; | |
| 7006 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0); |
| 7007 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 1); |
| 7008 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0); |
| 7009 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 2); |
| 7010 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0); |
| 7011 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 7012 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1); |
| 7013 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 3); |
| 7014 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0); |
| 7015 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 4); |
| 7016 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0); |
| 7017 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 5); |
| 7018 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1); |
| 7019 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 5); |
| 7020 | 1 | memset(signature, 255, 64); | |
| 7021 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0); |
| 7022 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(ecount == 5); |
| 7023 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_context_set_illegal_callback(ctx, NULL, NULL); |
| 7024 | } | ||
| 7025 | |||
| 7026 | /* Nonce function corner cases. */ | ||
| 7027 |
2/2✓ Branch 0 taken 2 times.
✓ Branch 1 taken 1 times.
|
3 | for (t = 0; t < 2; t++) { |
| 7028 | 2 | static const unsigned char zero[32] = {0x00}; | |
| 7029 | 2 | int i; | |
| 7030 | 2 | unsigned char key[32]; | |
| 7031 | 2 | unsigned char msg[32]; | |
| 7032 | 2 | secp256k1_ecdsa_signature sig2; | |
| 7033 | 2 | secp256k1_scalar sr[512], ss; | |
| 7034 | 2 | const unsigned char *extra; | |
| 7035 |
2/2✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
|
2 | extra = t == 0 ? NULL : zero; |
| 7036 | 2 | memset(msg, 0, 32); | |
| 7037 | 2 | msg[31] = 1; | |
| 7038 | /* High key results in signature failure. */ | ||
| 7039 | 2 | memset(key, 0xFF, 32); | |
| 7040 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); |
| 7041 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(is_empty_signature(&sig)); |
| 7042 | /* Zero key results in signature failure. */ | ||
| 7043 | 2 | memset(key, 0, 32); | |
| 7044 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); |
| 7045 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(is_empty_signature(&sig)); |
| 7046 | /* Nonce function failure results in signature failure. */ | ||
| 7047 | 2 | key[31] = 1; | |
| 7048 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0); |
| 7049 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(is_empty_signature(&sig)); |
| 7050 | /* The retry loop successfully makes its way to the first good value. */ | ||
| 7051 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1); |
| 7052 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(!is_empty_signature(&sig)); |
| 7053 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); |
| 7054 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(!is_empty_signature(&sig2)); |
| 7055 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); |
| 7056 | /* The default nonce function is deterministic. */ | ||
| 7057 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
|
2 | CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); |
| 7058 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(!is_empty_signature(&sig2)); |
| 7059 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
|
2 | CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); |
| 7060 | /* The default nonce function changes output with different messages. */ | ||
| 7061 |
2/2✓ Branch 0 taken 512 times.
✓ Branch 1 taken 2 times.
|
514 | for(i = 0; i < 256; i++) { |
| 7062 | 512 | int j; | |
| 7063 | 512 | msg[0] = i; | |
| 7064 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); |
| 7065 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 512 times.
|
512 | CHECK(!is_empty_signature(&sig2)); |
| 7066 | 512 | secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); | |
| 7067 |
2/2✓ Branch 1 taken 65280 times.
✓ Branch 2 taken 512 times.
|
66304 | for (j = 0; j < i; j++) { |
| 7068 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 65280 times.
|
65280 | CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); |
| 7069 | } | ||
| 7070 | } | ||
| 7071 | 2 | msg[0] = 0; | |
| 7072 | 2 | msg[31] = 2; | |
| 7073 | /* The default nonce function changes output with different keys. */ | ||
| 7074 |
2/2✓ Branch 0 taken 512 times.
✓ Branch 1 taken 2 times.
|
514 | for(i = 256; i < 512; i++) { |
| 7075 | 512 | int j; | |
| 7076 | 512 | key[0] = i - 256; | |
| 7077 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
|
512 | CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); |
| 7078 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 512 times.
|
512 | CHECK(!is_empty_signature(&sig2)); |
| 7079 | 512 | secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); | |
| 7080 |
2/2✓ Branch 1 taken 196352 times.
✓ Branch 2 taken 512 times.
|
197376 | for (j = 0; j < i; j++) { |
| 7081 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 196352 times.
|
196352 | CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); |
| 7082 | } | ||
| 7083 | } | ||
| 7084 | 2 | key[0] = 0; | |
| 7085 | } | ||
| 7086 | |||
| 7087 | { | ||
| 7088 | /* Check that optional nonce arguments do not have equivalent effect. */ | ||
| 7089 | 1 | const unsigned char zeros[32] = {0}; | |
| 7090 | 1 | unsigned char nonce[32]; | |
| 7091 | 1 | unsigned char nonce2[32]; | |
| 7092 | 1 | unsigned char nonce3[32]; | |
| 7093 | 1 | unsigned char nonce4[32]; | |
| 7094 | 1 | VG_UNDEF(nonce,32); | |
| 7095 | 1 | VG_UNDEF(nonce2,32); | |
| 7096 | 1 | VG_UNDEF(nonce3,32); | |
| 7097 | 1 | VG_UNDEF(nonce4,32); | |
| 7098 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1); |
| 7099 | 1 | VG_CHECK(nonce,32); | |
| 7100 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1); |
| 7101 | 1 | VG_CHECK(nonce2,32); | |
| 7102 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1); |
| 7103 | 1 | VG_CHECK(nonce3,32); | |
| 7104 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1); |
| 7105 | VG_CHECK(nonce4,32); | ||
| 7106 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); |
| 7107 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0); |
| 7108 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0); |
| 7109 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0); |
| 7110 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0); |
| 7111 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0); |
| 7112 | } | ||
| 7113 | |||
| 7114 | |||
| 7115 | /* Privkey export where pubkey is the point at infinity. */ | ||
| 7116 | { | ||
| 7117 | 1 | unsigned char privkey[300]; | |
| 7118 | 1 | unsigned char seckey[32] = { | |
| 7119 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
| 7120 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, | ||
| 7121 | 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, | ||
| 7122 | 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41, | ||
| 7123 | }; | ||
| 7124 | 1 | size_t outlen = 300; | |
| 7125 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0)); |
| 7126 | 1 | outlen = 300; | |
| 7127 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1)); |
| 7128 | } | ||
| 7129 | 1 | } | |
| 7130 | |||
| 7131 | 1 | void run_ecdsa_edge_cases(void) { | |
| 7132 | ✗ | test_ecdsa_edge_cases(); | |
| 7133 | } | ||
| 7134 | |||
| 7135 | #ifdef ENABLE_MODULE_BPPP | ||
| 7136 | # include "modules/bppp/tests_impl.h" | ||
| 7137 | #endif | ||
| 7138 | |||
| 7139 | #ifdef ENABLE_MODULE_ECDH | ||
| 7140 | # include "modules/ecdh/tests_impl.h" | ||
| 7141 | #endif | ||
| 7142 | |||
| 7143 | #ifdef ENABLE_MODULE_MUSIG | ||
| 7144 | # include "modules/musig/tests_impl.h" | ||
| 7145 | #endif | ||
| 7146 | |||
| 7147 | #ifdef ENABLE_MODULE_RECOVERY | ||
| 7148 | # include "modules/recovery/tests_impl.h" | ||
| 7149 | #endif | ||
| 7150 | |||
| 7151 | #ifdef ENABLE_MODULE_GENERATOR | ||
| 7152 | # include "modules/generator/tests_impl.h" | ||
| 7153 | #endif | ||
| 7154 | |||
| 7155 | #ifdef ENABLE_MODULE_RANGEPROOF | ||
| 7156 | # include "modules/rangeproof/tests_impl.h" | ||
| 7157 | #endif | ||
| 7158 | |||
| 7159 | #ifdef ENABLE_MODULE_WHITELIST | ||
| 7160 | # include "modules/whitelist/tests_impl.h" | ||
| 7161 | #endif | ||
| 7162 | |||
| 7163 | #ifdef ENABLE_MODULE_SURJECTIONPROOF | ||
| 7164 | # include "modules/surjection/tests_impl.h" | ||
| 7165 | #endif | ||
| 7166 | |||
| 7167 | #ifdef ENABLE_MODULE_EXTRAKEYS | ||
| 7168 | # include "modules/extrakeys/tests_impl.h" | ||
| 7169 | #endif | ||
| 7170 | |||
| 7171 | #ifdef ENABLE_MODULE_SCHNORRSIG | ||
| 7172 | # include "modules/schnorrsig/tests_impl.h" | ||
| 7173 | #endif | ||
| 7174 | |||
| 7175 | #ifdef ENABLE_MODULE_ECDSA_S2C | ||
| 7176 | # include "modules/ecdsa_s2c/tests_impl.h" | ||
| 7177 | #endif | ||
| 7178 | |||
| 7179 | #ifdef ENABLE_MODULE_ECDSA_ADAPTOR | ||
| 7180 | # include "modules/ecdsa_adaptor/tests_impl.h" | ||
| 7181 | #endif | ||
| 7182 | |||
| 7183 | 1 | void run_secp256k1_memczero_test(void) { | |
| 7184 | 1 | unsigned char buf1[6] = {1, 2, 3, 4, 5, 6}; | |
| 7185 | 1 | unsigned char buf2[sizeof(buf1)]; | |
| 7186 | |||
| 7187 | /* secp256k1_memczero(..., ..., 0) is a noop. */ | ||
| 7188 | 1 | memcpy(buf2, buf1, sizeof(buf1)); | |
| 7189 |
2/2✓ Branch 0 taken 6 times.
✓ Branch 1 taken 1 times.
|
8 | secp256k1_memczero(buf1, sizeof(buf1), 0); |
| 7190 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); |
| 7191 | |||
| 7192 | /* secp256k1_memczero(..., ..., 1) zeros the buffer. */ | ||
| 7193 | 1 | memset(buf2, 0, sizeof(buf2)); | |
| 7194 |
2/2✓ Branch 0 taken 6 times.
✓ Branch 1 taken 1 times.
|
8 | secp256k1_memczero(buf1, sizeof(buf1) , 1); |
| 7195 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); |
| 7196 | 1 | } | |
| 7197 | |||
| 7198 | 1 | void run_secp256k1_byteorder_tests(void) { | |
| 7199 | 1 | const uint32_t x = 0xFF03AB45; | |
| 7200 | 1 | const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45}; | |
| 7201 | 1 | unsigned char buf[4]; | |
| 7202 | 1 | uint32_t x_; | |
| 7203 | |||
| 7204 |
2/2✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
|
5 | secp256k1_write_be32(buf, x); |
| 7205 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0); |
| 7206 | |||
| 7207 | 1 | x_ = secp256k1_read_be32(buf); | |
| 7208 | 1 | CHECK(x == x_); | |
| 7209 | 1 | } | |
| 7210 | |||
| 7211 | 1 | void int_cmov_test(void) { | |
| 7212 | 1 | int r = INT_MAX; | |
| 7213 | 1 | int a = 0; | |
| 7214 | |||
| 7215 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_int_cmov(&r, &a, 0); |
| 7216 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(r == INT_MAX); |
| 7217 | |||
| 7218 | 1 | r = 0; a = INT_MAX; | |
| 7219 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_int_cmov(&r, &a, 1); |
| 7220 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(r == INT_MAX); |
| 7221 | |||
| 7222 | 1 | a = 0; | |
| 7223 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_int_cmov(&r, &a, 1); |
| 7224 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(r == 0); |
| 7225 | |||
| 7226 | 1 | a = 1; | |
| 7227 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_int_cmov(&r, &a, 1); |
| 7228 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(r == 1); |
| 7229 | |||
| 7230 | 1 | r = 1; a = 0; | |
| 7231 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_int_cmov(&r, &a, 0); |
| 7232 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | CHECK(r == 1); |
| 7233 | |||
| 7234 | 1 | } | |
| 7235 | |||
| 7236 | 1 | void fe_cmov_test(void) { | |
| 7237 | 1 | static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 7238 | 1 | static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); | |
| 7239 | 1 | static const secp256k1_fe max = SECP256K1_FE_CONST( | |
| 7240 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, | ||
| 7241 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL | ||
| 7242 | ); | ||
| 7243 | 1 | secp256k1_fe r = max; | |
| 7244 | 1 | secp256k1_fe a = zero; | |
| 7245 | |||
| 7246 | 1 | secp256k1_fe_cmov(&r, &a, 0); | |
| 7247 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7248 | |||
| 7249 | 1 | r = zero; a = max; | |
| 7250 | 1 | secp256k1_fe_cmov(&r, &a, 1); | |
| 7251 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7252 | |||
| 7253 | 1 | a = zero; | |
| 7254 | 1 | secp256k1_fe_cmov(&r, &a, 1); | |
| 7255 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); |
| 7256 | |||
| 7257 | 1 | a = one; | |
| 7258 | 1 | secp256k1_fe_cmov(&r, &a, 1); | |
| 7259 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7260 | |||
| 7261 | 1 | r = one; a = zero; | |
| 7262 | 1 | secp256k1_fe_cmov(&r, &a, 0); | |
| 7263 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7264 | 1 | } | |
| 7265 | |||
| 7266 | 1 | void fe_storage_cmov_test(void) { | |
| 7267 | 1 | static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 7268 | 1 | static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1); | |
| 7269 | 1 | static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST( | |
| 7270 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, | ||
| 7271 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL | ||
| 7272 | ); | ||
| 7273 | 1 | secp256k1_fe_storage r = max; | |
| 7274 | 1 | secp256k1_fe_storage a = zero; | |
| 7275 | |||
| 7276 | 1 | secp256k1_fe_storage_cmov(&r, &a, 0); | |
| 7277 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7278 | |||
| 7279 | 1 | r = zero; a = max; | |
| 7280 | 1 | secp256k1_fe_storage_cmov(&r, &a, 1); | |
| 7281 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7282 | |||
| 7283 | 1 | a = zero; | |
| 7284 | 1 | secp256k1_fe_storage_cmov(&r, &a, 1); | |
| 7285 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); |
| 7286 | |||
| 7287 | 1 | a = one; | |
| 7288 | 1 | secp256k1_fe_storage_cmov(&r, &a, 1); | |
| 7289 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7290 | |||
| 7291 | 1 | r = one; a = zero; | |
| 7292 | 1 | secp256k1_fe_storage_cmov(&r, &a, 0); | |
| 7293 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7294 | 1 | } | |
| 7295 | |||
| 7296 | 1 | void scalar_cmov_test(void) { | |
| 7297 | 1 | static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); | |
| 7298 | 1 | static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); | |
| 7299 | 1 | static const secp256k1_scalar max = SECP256K1_SCALAR_CONST( | |
| 7300 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, | ||
| 7301 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL | ||
| 7302 | ); | ||
| 7303 | 1 | secp256k1_scalar r = max; | |
| 7304 | 1 | secp256k1_scalar a = zero; | |
| 7305 | |||
| 7306 | 1 | secp256k1_scalar_cmov(&r, &a, 0); | |
| 7307 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7308 | |||
| 7309 | 1 | r = zero; a = max; | |
| 7310 | 1 | secp256k1_scalar_cmov(&r, &a, 1); | |
| 7311 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7312 | |||
| 7313 | 1 | a = zero; | |
| 7314 | 1 | secp256k1_scalar_cmov(&r, &a, 1); | |
| 7315 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); |
| 7316 | |||
| 7317 | 1 | a = one; | |
| 7318 | 1 | secp256k1_scalar_cmov(&r, &a, 1); | |
| 7319 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7320 | |||
| 7321 | 1 | r = one; a = zero; | |
| 7322 | 1 | secp256k1_scalar_cmov(&r, &a, 0); | |
| 7323 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7324 | 1 | } | |
| 7325 | |||
| 7326 | 1 | void ge_storage_cmov_test(void) { | |
| 7327 | 1 | static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); | |
| 7328 | 1 | static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1); | |
| 7329 | 1 | static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST( | |
| 7330 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, | ||
| 7331 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, | ||
| 7332 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, | ||
| 7333 | 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL | ||
| 7334 | ); | ||
| 7335 | 1 | secp256k1_ge_storage r = max; | |
| 7336 | 1 | secp256k1_ge_storage a = zero; | |
| 7337 | |||
| 7338 | 1 | secp256k1_ge_storage_cmov(&r, &a, 0); | |
| 7339 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7340 | |||
| 7341 | 1 | r = zero; a = max; | |
| 7342 | 1 | secp256k1_ge_storage_cmov(&r, &a, 1); | |
| 7343 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); |
| 7344 | |||
| 7345 | 1 | a = zero; | |
| 7346 | 1 | secp256k1_ge_storage_cmov(&r, &a, 1); | |
| 7347 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); |
| 7348 | |||
| 7349 | 1 | a = one; | |
| 7350 | 1 | secp256k1_ge_storage_cmov(&r, &a, 1); | |
| 7351 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7352 | |||
| 7353 | 1 | r = one; a = zero; | |
| 7354 | 1 | secp256k1_ge_storage_cmov(&r, &a, 0); | |
| 7355 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
2 | CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); |
| 7356 | 1 | } | |
| 7357 | |||
| 7358 | 1 | void run_cmov_tests(void) { | |
| 7359 | 1 | int_cmov_test(); | |
| 7360 | 1 | fe_cmov_test(); | |
| 7361 | 1 | fe_storage_cmov_test(); | |
| 7362 | 1 | scalar_cmov_test(); | |
| 7363 | 1 | ge_storage_cmov_test(); | |
| 7364 | 1 | } | |
| 7365 | |||
| 7366 | 1 | int main(int argc, char **argv) { | |
| 7367 | /* Disable buffering for stdout to improve reliability of getting | ||
| 7368 | * diagnostic information. Happens right at the start of main because | ||
| 7369 | * setbuf must be used before any other operation on the stream. */ | ||
| 7370 | 1 | setbuf(stdout, NULL); | |
| 7371 | /* Also disable buffering for stderr because it's not guaranteed that it's | ||
| 7372 | * unbuffered on all systems. */ | ||
| 7373 | 1 | setbuf(stderr, NULL); | |
| 7374 | |||
| 7375 | /* find iteration count */ | ||
| 7376 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | if (argc > 1) { |
| 7377 | ✗ | count = strtol(argv[1], NULL, 0); | |
| 7378 | } else { | ||
| 7379 | 1 | const char* env = getenv("SECP256K1_TEST_ITERS"); | |
| 7380 |
1/4✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
|
1 | if (env && strlen(env) > 0) { |
| 7381 | ✗ | count = strtol(env, NULL, 0); | |
| 7382 | } | ||
| 7383 | } | ||
| 7384 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | if (count <= 0) { |
| 7385 | ✗ | fputs("An iteration count of 0 or less is not allowed.\n", stderr); | |
| 7386 | ✗ | return EXIT_FAILURE; | |
| 7387 | } | ||
| 7388 | 1 | printf("test count = %i\n", count); | |
| 7389 | |||
| 7390 | /* find random seed */ | ||
| 7391 |
1/2✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
|
1 | secp256k1_testrand_init(argc > 2 ? argv[2] : NULL); |
| 7392 | |||
| 7393 | /* initialize */ | ||
| 7394 | 1 | run_context_tests(0); | |
| 7395 | 1 | run_context_tests(1); | |
| 7396 | 1 | run_scratch_tests(); | |
| 7397 | 1 | ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); | |
| 7398 |
1/2✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
|
1 | if (secp256k1_testrand_bits(1)) { |
| 7399 | ✗ | unsigned char rand32[32]; | |
| 7400 | ✗ | secp256k1_testrand256(rand32); | |
| 7401 | ✗ | CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL)); | |
| 7402 | } | ||
| 7403 | |||
| 7404 | 1 | run_rand_bits(); | |
| 7405 | 1 | run_rand_int(); | |
| 7406 | 1 | run_util_tests(); | |
| 7407 | |||
| 7408 | 1 | run_ctz_tests(); | |
| 7409 | 1 | run_modinv_tests(); | |
| 7410 | 1 | run_inverse_tests(); | |
| 7411 | |||
| 7412 | 1 | run_sha256_known_output_tests(); | |
| 7413 | 1 | run_sha256_counter_tests(); | |
| 7414 | 1 | run_hmac_sha256_tests(); | |
| 7415 | 1 | run_rfc6979_hmac_sha256_tests(); | |
| 7416 | 1 | run_tagged_sha256_tests(); | |
| 7417 | |||
| 7418 | /* scalar tests */ | ||
| 7419 | 1 | run_scalar_tests(); | |
| 7420 | |||
| 7421 | /* field tests */ | ||
| 7422 | 1 | run_field_half(); | |
| 7423 | 1 | run_field_misc(); | |
| 7424 | 1 | run_field_convert(); | |
| 7425 | 1 | run_fe_mul(); | |
| 7426 | 1 | run_sqr(); | |
| 7427 | 1 | run_sqrt(); | |
| 7428 | |||
| 7429 | /* group tests */ | ||
| 7430 | 1 | run_ge(); | |
| 7431 | 1 | run_gej(); | |
| 7432 | 1 | run_group_decompress(); | |
| 7433 | |||
| 7434 | /* ecmult tests */ | ||
| 7435 | 1 | run_ecmult_pre_g(); | |
| 7436 | 1 | run_wnaf(); | |
| 7437 | 1 | run_point_times_order(); | |
| 7438 | 1 | run_ecmult_near_split_bound(); | |
| 7439 | 1 | run_ecmult_chain(); | |
| 7440 | 1 | run_ecmult_constants(); | |
| 7441 | 1 | run_ecmult_gen_blind(); | |
| 7442 | 1 | run_ecmult_const_tests(); | |
| 7443 | 1 | run_ecmult_multi_tests(); | |
| 7444 | 1 | run_ec_combine(); | |
| 7445 | 1 | run_ec_commit(); | |
| 7446 | |||
| 7447 | /* endomorphism tests */ | ||
| 7448 | 1 | run_endomorphism_tests(); | |
| 7449 | |||
| 7450 | /* EC point parser test */ | ||
| 7451 | 1 | run_ec_pubkey_parse_test(); | |
| 7452 | |||
| 7453 | /* EC key edge cases */ | ||
| 7454 | 1 | run_eckey_edge_case_test(); | |
| 7455 | |||
| 7456 | /* EC key arithmetic test */ | ||
| 7457 | 1 | run_eckey_negate_test(); | |
| 7458 | |||
| 7459 | #ifdef ENABLE_MODULE_BPPP | ||
| 7460 | run_bppp_tests(); | ||
| 7461 | #endif | ||
| 7462 | |||
| 7463 | #ifdef ENABLE_MODULE_ECDH | ||
| 7464 | /* ecdh tests */ | ||
| 7465 | run_ecdh_tests(); | ||
| 7466 | #endif | ||
| 7467 | |||
| 7468 | #ifdef ENABLE_MODULE_MUSIG | ||
| 7469 | run_musig_tests(); | ||
| 7470 | #endif | ||
| 7471 | |||
| 7472 | /* ecdsa tests */ | ||
| 7473 | 1 | run_pubkey_comparison(); | |
| 7474 | 1 | run_random_pubkeys(); | |
| 7475 | 1 | run_ecdsa_der_parse(); | |
| 7476 | 1 | run_ecdsa_sign_verify(); | |
| 7477 | 1 | run_ecdsa_end_to_end(); | |
| 7478 | 1 | run_ecdsa_edge_cases(); | |
| 7479 | |||
| 7480 | #ifdef ENABLE_MODULE_RECOVERY | ||
| 7481 | /* ECDSA pubkey recovery tests */ | ||
| 7482 | run_recovery_tests(); | ||
| 7483 | #endif | ||
| 7484 | |||
| 7485 | #ifdef ENABLE_MODULE_GENERATOR | ||
| 7486 | run_generator_tests(); | ||
| 7487 | #endif | ||
| 7488 | |||
| 7489 | #ifdef ENABLE_MODULE_RANGEPROOF | ||
| 7490 | run_rangeproof_tests(); | ||
| 7491 | #endif | ||
| 7492 | |||
| 7493 | #ifdef ENABLE_MODULE_WHITELIST | ||
| 7494 | /* Key whitelisting tests */ | ||
| 7495 | run_whitelist_tests(); | ||
| 7496 | #endif | ||
| 7497 | |||
| 7498 | #ifdef ENABLE_MODULE_SURJECTIONPROOF | ||
| 7499 | run_surjection_tests(); | ||
| 7500 | #endif | ||
| 7501 | |||
| 7502 | #ifdef ENABLE_MODULE_EXTRAKEYS | ||
| 7503 | 1 | run_extrakeys_tests(); | |
| 7504 | #endif | ||
| 7505 | |||
| 7506 | #ifdef ENABLE_MODULE_SCHNORRSIG | ||
| 7507 | 1 | run_schnorrsig_tests(); | |
| 7508 | #endif | ||
| 7509 | |||
| 7510 | #ifdef ENABLE_MODULE_ECDSA_S2C | ||
| 7511 | /* ECDSA sign to contract */ | ||
| 7512 | run_ecdsa_s2c_tests(); | ||
| 7513 | #endif | ||
| 7514 | |||
| 7515 | #ifdef ENABLE_MODULE_ECDSA_ADAPTOR | ||
| 7516 | run_ecdsa_adaptor_tests(); | ||
| 7517 | #endif | ||
| 7518 | |||
| 7519 | /* util tests */ | ||
| 7520 | 1 | run_secp256k1_memczero_test(); | |
| 7521 | 1 | run_secp256k1_byteorder_tests(); | |
| 7522 | |||
| 7523 | 1 | run_cmov_tests(); | |
| 7524 | |||
| 7525 | 1 | secp256k1_testrand_finish(); | |
| 7526 | |||
| 7527 | /* shutdown */ | ||
| 7528 | 1 | secp256k1_context_destroy(ctx); | |
| 7529 | |||
| 7530 | 1 | printf("no problems found\n"); | |
| 7531 | 1 | return 0; | |
| 7532 | } | ||
| 7533 |